w32/reur.worm!p2p 10/20/03

Discussion in 'malware problems & news' started by bigc73542, Oct 21, 2003.

Thread Status:
Not open for further replies.
  1. bigc73542

    bigc73542 Retired Moderator

    Sep 21, 2003
    SW. Oklahoma
    Virus Name Risk Assessment
    Corporate User : Low http://www.helpdesk2go.com/special.html
    Home User : Low

    Virus Information
    Discovery Date: 10/20/2003
    Origin: Unknown
    Length: 435,744 bytes
    Type: Virus
    SubType: P2P Worm
    Minimum DAT:
    Release Date: 4299
    Minimum Engine: 4.1.60 www.mcafee.com
    Description Added: 10/21/2003
    Description Modified: 10/21/2003 3:23 AM (PT)
    Description Menu
    Virus Characteristics
    Method Of Infection
    Removal Instructions
    Variants / Aliases
    Rate This page
    Print This Page
    Email This Page

    Virus Characteristics:

    This is a worm that spreads through eMule peer-to-peer network sharing software.

    Upon running this program, a fake error message is displayed.

    It subsequently makes multiple copies of itself into the C:\Program Files\eMule\Incoming directory. The following filenames may be used:

    * AOL Hacker 2004
    * Hotmail Hacker 2004
    * Portable Orange (FT) Keygen
    * Yahoo Mail Hacker 2004
    * WinZip All Version Keygen
    * WinRAR All Version Keymaker
    * Sexy ScreenSaver 2004
    * Free Hard Porn 2004
    * Wanadoo Hacking Tool 2004
    * Alcohol 120% CORE Keygen
    * Homeworld 2 DEViANCE Keygen

    Top of Page


    The worm copies itself using a random filenames to the %SYSDIR% directory and hooks the registry at the following key to run itself at startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "19720B10" = C:\WINDOWS\SYSTEM\19720B10.exe
    Top of Page

    Method Of Infection

    The user gets infected upon downloading any of the above files and executing it.
    Top of Page

    Removal Instructions

    All Users:
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    Additional Windows ME/XP removal considerations
    Top of Page

    Name Type Sub Type Differences
    Top of Page

    W32.HLLW.Wanado (Symantec)
    Top of Page

Thread Status:
Not open for further replies.