My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


106,496 bytes
(W32.Ecup , P2P-Worm.Win32.Kapucen.b, W32/Puce, Win32.Puce.D, Win32/Puce.d!Trojan, W32/Puce-H)


  The presence of a file named svchost.exe in the directory C:\\Documents and Settings\\Local Settings\\Temp and C:\\DOCUME~1\\LOCALS~1\\Temp\\svchost.exe 1 in the registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsServicesStartup.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

  The malware copies itself in
C:\\Documents and Settings\\<user>\\Local Settings\\Temp as svchost.exe and sets the (above mentioned) registry key
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsServicesStartup = "C:\\DOCUME~1\\LOCALS~1\\Temp\\svchost.exe 1".

  In order to allow only one instance of it to run at a time, it creates a mutex named TINYpUcE.

  It spreads through the shared folders of

ICQ, ... :

C:\\Program files\\emule\\incoming

D:\\Program files\\emule\\incoming

E:\\Program files\\emule\\incoming

C:\\Archivos de programa\\emule\\incoming

D:\\Archivos de programa\\emule\\incoming

E:\\Archivos de programa\\emule\\incoming

C:\\Program Files\\Kazaa Lite K++\\My Shared Folder

D:\\Program Files\\Kazaa Lite K++\\My Shared Folder Folder

E:\\Program Files\\Kazaa Lite K++\\My Shared Folder Folder

C:\\Program files\\KMD\\My Shared Folder

D:\\Program files\\KMD\\My Shared Folder

E:\\Program files\\KMD\\My Shared Folder

C:\\Program files\\KaZaA Lite\\My Shared Folder

D:\\Program files\\KaZaA Lite\\My Shared Folder
E:\\Program files\\KaZaA Lite\\My Shared Folder
C:\\Program files\\Morpheus\\My Shared Folder
D:\\Program files\\Morpheus\\My Shared Folder
E:\\Program files\\Morpheus\\My Shared Folder
C:\\Program files\\BearShare\\Shared
D:\\Program files\\BearShare\\Shared
E:\\Program files\\BearShare\\Shared
C:\\Program files\\Edonkey2000\\Incoming
D:\\Program files\\Edonkey2000\\Incoming
E:\\Program files\\Edonkey2000\\Incoming
C:\\Program files\\appleJuice\\incoming
D:\\Program files\\appleJuice\\incoming
E:\\Program files\\appleJuice\\incoming
C:\\Program files\\Gnucleus\\Downloads
D:\\Program files\\Gnucleus\\Downloads
E:\\Program files\\Gnucleus\\Downloads
C:\\Program files\\Grokster\\My Grokster
D:\\Program files\\Grokster\\My Grokster
E:\\Program files\\Grokster\\My Grokster
C:\\Program files\\ICQ\\shared files
D:\\Program files\\ICQ\\shared files
E:\\Program files\\ICQ\\shared files
C:\\Program files\\KaZaA\\My Shared Folder

D:\\Program files\\KaZaA\\My Shared Folder

E:\\Program files\\KaZaA\\My Shared Folder

C:\\Program files\\LimeWire\\Shared

D:\\Program files\\LimeWire\\Shared

E:\\Program files\\LimeWire\\Shared

C:\\Program files\\Overnet\\incoming

D:\\Program files\\Overnet\\incoming

E:\\Program files\\Overnet\\incoming

C:\\Program files\\Shareaza\\Downloads

D:\\Program files\\Shareaza\\Downloads

E:\\Program files\\Shareaza\\Downloads

C:\\Program files\\Swaptor\\Download

D:\\Program files\\Swaptor\\Download

E:\\Program files\\Swaptor\\Download

C:\\Program files\\WinMX\\My Shared Folder

D:\\Program files\\WinMX\\My Shared Folder

E:\\Program files\\WinMX\\My Shared Folder

C:\\Program files\\Tesla\\Files

D:\\Program files\\Tesla\\Files

E:\\Program files\\Tesla\\Files

C:\\Program files\\XoloX\\Downloads

D:\\Program files\\XoloX\\Downloads

E:\\Program files\\XoloX\\Downloads

C:\\Program files\\Rapigator\\Share

D:\\Program files\\Rapigator\\Share

E:\\Program files\\Rapigator\\Share

Other folders used for spreading are:


D:\\Download E:\\Download
C:\\Incoming D:\\Incoming E:\\Incoming F:\\Incoming G:\\Incoming
C:\\My Downloads

D:\\My Downloads

E:\\My Downloads

C:\\My Shared Folder

D:\\My Shared Folder

E:\\My Shared Folder


  It copies itself in every (*.zip) or (*.rar) archive found in these folders and may rename the archive as follows: to %filename% updated-fixed 
    %filename%.rar to %filename% updated-fixed mm-yyyy.rar

where mm is the current month and
         yyyy is the current year

   The malware can be found in these archives as Setup.exe, Install.exe or _Run_Me_First.exe.
It uses an empty control file named _trash.tmp to mark the infected archives. If this file exists, it does nothing to that archive.
   Otherwise, for zip files, it checks the existence of Setup.exe. If found, it inserts itself under the name Install.exe only if such a file does not exist.
  If there is also an Install.exe file, the name chosen for itself is _Run_Me_First.exe.

   For (*.rar) files only the checking of _trash.tmp is performed, the worm being copyed under the name setup.exe

   After infection, it creates a file named Log.txt and opens it with notepad, displaying the following text:

(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program