Is NOD32 able to catch W32.P2load.A (Win32)

Discussion in 'NOD32 version 2 Forum' started by martindijk, Sep 19, 2005.

Thread Status:
Not open for further replies.
  1. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi all,

    Don't know yet if Nod is able to handle W32.P2load.A (Win32), (maybe by its heuristics), just wondering if there is any news about this one:

    Name: W32.P2load.A Innovation: 9

    Aliases: Management: 35

    Discovery: 19-09-2005 Logistics: 10

    Type: Win32 Damage: 12

    Affected systems: Windows 95
    Windows 98
    Windows 2000
    Windows NT
    Windows XP

    Not affected systems: Linux
    Apple
    Scale: 17

    Risk: Low


    Summerize: Modifies the hosts file. File-sharing networks.

    - Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


    Virus description

    P2load.A is a worm that spreads through file-sharing networks, such as Kazaa, eMule, Shareaza, and iMesh.


    Recognition

    When W32.P2load.A is executed, it performs the following actions:

    1. Copies itself as %System%\winlogin.exe.

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    2. Copies itself (using the same filename of the original worm file) to various file-sharing software folders by querying the following registry values:

    HKEY_CURRENT_USER\Software\eMule\"Install Path"
    HKEY_CURRENT_USER\Software\Kazaa\LocalContent\"DownloadDir"
    HKEY_CURRENT_USER\Software\iMesh\iMesh5\Transfer\"DownloadDir"
    HKEY_CURRENT_USER\Software\Shareaza\Shareaza\Downloads\"CompletePath"

    3. Adds the value:

    "Winlogin" = "%System%\winlogin.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

    4. Creates a harmless URL file in the file-sharing software folders, using the same filename, but with the extension .url

    5. Displays one of the following 2 message boxes, depending on the compromised computer's user local language identifier:

    Title: Datei veraltet...
    Message:
    Fehler: Datei "vb2.dll" ist nicht mehr aktuell!
    Um die Datei "vb2.dll" zu aktualisieren, bitte auf die Schaltfl
    che "OK"
    klicken, kostenlos anmelden und die aktuelle Datei "vb2.dll" downloaden!

    Title: File become outdated...
    Message:
    Error: File "vb2.dll" is not current any longer!
    In order to update the file "vb2.dll", press the button "OK" please
    and announce (free) to download the current file "vb2.dll".

    6. Attempts to open one of the following websites in a browser:

    * hxxp://www.p2p-load.de/share/?l=e
    * hxxp://www.p2p-load.de/share/?l=d

    7. Adds one of the following values depending on the compromised computer's user local language identifier:

    "Search Bar" = "http://www.p2p-load.de/share/?l=e"

    Or:

    "Search Bar" = "http://www.p2p-load.de/share/?l=d"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to modify the Internet Explorer search bar.

    8. Adds one of the following values depending on the compromised computer's user local language identifier:

    "Start Page" = "http://www.p2p-load.de/share/?l=e"

    Or:

    "Start Page" = "http://www.p2p-load.de/share/?l=d"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to modify the Internet Explorer home page.

    9. Adds one of the following values depending on the compromised computer's user local language identifier:

    "Search Page" = "http://www.p2p-load.de/share/?l=e"

    Or:

    "Search Page" = "http://www.p2p-load.de/share/?l=d"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to modify the Internet Explorer search page.

    10. Creates the following harmless URL file:

    %UserProfile%\Favorites\Musik, Filme, Software und vieles mehr kostenlos!.url

    Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

    11. Attempts to download the following files, and replace the hosts file with them:

    * hxxp://www.dutty.de/stat.dat
    * hxxp://www.meet2k.com/stat.dat
    * hxxp://www.p2p-load.de/stat.dat

    W32.P2load.A arrives in an e-mail message containing the following:





    Symptoms of infection

    Modified or placed files:

    W32.P2load.A places or modifies the following files on your system:



    Modified or placed registry-values:

    W32.P2load.A places the following registry-values on your system:





    Removing

    Removing manually:

    1. First try to remove the worm with the online scanner mentioned below.
    2. Shut down the pc, wait 30 seconds and turn power on.
    3. Start the pc in "Safe Mode" (By clicking F8 or CTRL while starting pc)
    4. Click [start] and then [run]
    5. type "cmd" [enter]
    6. type "regedit" [enter]
    7. You are now in the registry-editor.
    Search for registry-keys wich are placed or modified by the worm, as mentioned above.
    Delete or setup the default value for every individual key.
    8. Exit the registry-editor
    9. Re-boot your system
    10. Check your system again with the online scanner mentioned below.
    11a. Re-install your Antivirus-software if not working properly.
    11b. Up-date your AV-software immediately when installed.

    cheers to you all,
    Martin
     
    Last edited by a moderator: Sep 19, 2005
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Without the relevant sample, it's impossible to tell.
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    By name, NOD finds it in the latest update: 1.1222
     
  4. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Oké gents, thanks for the replies, found it, must have overlooked it :rolleyes:

    cheers,
    Martin
     
Thread Status:
Not open for further replies.