w32/reur.worm!p2p 10/20/03

Discussion in 'malware problems & news' started by bigc73542, Oct 21, 2003.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    Virus Name Risk Assessment
    W32/Reur.worm!p2p
    Corporate User : Low http://www.helpdesk2go.com/special.html
    Home User : Low

    Virus Information
    Discovery Date: 10/20/2003
    Origin: Unknown
    Length: 435,744 bytes
    Type: Virus
    SubType: P2P Worm
    Minimum DAT:
    Release Date: 4299
    10/22/2003
    Minimum Engine: 4.1.60 www.mcafee.com
    Description Added: 10/21/2003
    Description Modified: 10/21/2003 3:23 AM (PT)
    Description Menu
    Virus Characteristics
    Symptoms
    Method Of Infection
    Removal Instructions
    Variants / Aliases
    Rate This page
    Print This Page
    Email This Page
    Legend

    Virus Characteristics:

    This is a worm that spreads through eMule peer-to-peer network sharing software.

    Upon running this program, a fake error message is displayed.

    It subsequently makes multiple copies of itself into the C:\Program Files\eMule\Incoming directory. The following filenames may be used:

    * AOL Hacker 2004
    * Hotmail Hacker 2004
    * Portable Orange (FT) Keygen
    * Yahoo Mail Hacker 2004
    * WinZip All Version Keygen
    * WinRAR All Version Keymaker
    * Sexy ScreenSaver 2004
    * Free Hard Porn 2004
    * Wanadoo Hacking Tool 2004
    * Alcohol 120% 1.4.8.1009 CORE Keygen
    * Homeworld 2 DEViANCE Keygen

    Top of Page

    Symptoms

    The worm copies itself using a random filenames to the %SYSDIR% directory and hooks the registry at the following key to run itself at startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "19720B10" = C:\WINDOWS\SYSTEM\19720B10.exe
    Top of Page

    Method Of Infection

    The user gets infected upon downloading any of the above files and executing it.
    Top of Page

    Removal Instructions

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations
    Top of Page

    Variants
    Name Type Sub Type Differences
    Top of Page

    Aliases
    Name
    W32.HLLW.Wanado (Symantec)
    Top of Page

    www.nai.com
     
    bigc73542, Oct 21, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...