Is NOD32 able to catch W32.P2load.A (Win32)

Hi all,

Don't know yet if Nod is able to handle W32.P2load.A (Win32), (maybe by its heuristics), just wondering if there is any news about this one:

Name: W32.P2load.A Innovation: 9

Aliases: Management: 35

Discovery: 19-09-2005 Logistics: 10

Type: Win32 Damage: 12

Affected systems: Windows 95
Windows 98
Windows 2000
Windows NT
Windows XP

Not affected systems: Linux
Apple
Scale: 17

Risk: Low


Summerize: Modifies the hosts file. File-sharing networks.

- Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Virus description

P2load.A is a worm that spreads through file-sharing networks, such as Kazaa, eMule, Shareaza, and iMesh.


Recognition

When W32.P2load.A is executed, it performs the following actions:

1. Copies itself as %System%\winlogin.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Copies itself (using the same filename of the original worm file) to various file-sharing software folders by querying the following registry values:

HKEY_CURRENT_USER\Software\eMule\"Install Path"
HKEY_CURRENT_USER\Software\Kazaa\LocalContent\"DownloadDir"
HKEY_CURRENT_USER\Software\iMesh\iMesh5\Transfer\"DownloadDir"
HKEY_CURRENT_USER\Software\Shareaza\Shareaza\Downloads\"CompletePath"

3. Adds the value:

"Winlogin" = "%System%\winlogin.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Creates a harmless URL file in the file-sharing software folders, using the same filename, but with the extension .url

5. Displays one of the following 2 message boxes, depending on the compromised computer's user local language identifier:

Title: Datei veraltet...
Message:
Fehler: Datei "vb2.dll" ist nicht mehr aktuell!
Um die Datei "vb2.dll" zu aktualisieren, bitte auf die Schaltfl
che "OK"
klicken, kostenlos anmelden und die aktuelle Datei "vb2.dll" downloaden!

Title: File become outdated...
Message:
Error: File "vb2.dll" is not current any longer!
In order to update the file "vb2.dll", press the button "OK" please
and announce (free) to download the current file "vb2.dll".

6. Attempts to open one of the following websites in a browser:

* hxxp://www.p2p-load.de/share/?l=e
* hxxp://www.p2p-load.de/share/?l=d

7. Adds one of the following values depending on the compromised computer's user local language identifier:

"Search Bar" = "http://www.p2p-load.de/share/?l=e"

Or:

"Search Bar" = "http://www.p2p-load.de/share/?l=d"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

to modify the Internet Explorer search bar.

8. Adds one of the following values depending on the compromised computer's user local language identifier:

"Start Page" = "http://www.p2p-load.de/share/?l=e"

Or:

"Start Page" = "http://www.p2p-load.de/share/?l=d"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

to modify the Internet Explorer home page.

9. Adds one of the following values depending on the compromised computer's user local language identifier:

"Search Page" = "http://www.p2p-load.de/share/?l=e"

Or:

"Search Page" = "http://www.p2p-load.de/share/?l=d"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

to modify the Internet Explorer search page.

10. Creates the following harmless URL file:

%UserProfile%\Favorites\Musik, Filme, Software und vieles mehr kostenlos!.url

Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

11. Attempts to download the following files, and replace the hosts file with them:

* hxxp://www.dutty.de/stat.dat
* hxxp://www.meet2k.com/stat.dat
* hxxp://www.p2p-load.de/stat.dat

W32.P2load.A arrives in an e-mail message containing the following:





Symptoms of infection

Modified or placed files:

W32.P2load.A places or modifies the following files on your system:



Modified or placed registry-values:

W32.P2load.A places the following registry-values on your system:





Removing

Removing manually:

1. First try to remove the worm with the online scanner mentioned below.
2. Shut down the pc, wait 30 seconds and turn power on.
3. Start the pc in "Safe Mode" (By clicking F8 or CTRL while starting pc)
4. Click [start] and then [run]
5. type "cmd" [enter]
6. type "regedit" [enter]
7. You are now in the registry-editor.
Search for registry-keys wich are placed or modified by the worm, as mentioned above.
Delete or setup the default value for every individual key.
8. Exit the registry-editor
9. Re-boot your system
10. Check your system again with the online scanner mentioned below.
11a. Re-install your Antivirus-software if not working properly.
11b. Up-date your AV-software immediately when installed.

cheers to you all,
Martin

 

Without the relevant sample, it's impossible to tell.

 

By name, NOD finds it in the latest update: 1.1222

 

Oké gents, thanks for the replies, found it, must have overlooked it

cheers,
Martin