SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.P2P.Puce.B

HIGH
LOW
106,496 bytes
(W32.Ecup , P2P-Worm.Win32.Kapucen.b, W32/Puce, Win32.Puce.D, Win32/Puce.d!Trojan, W32/Puce-H)

Symptoms

  The presence of a file named svchost.exe in the directory C:\\Documents and Settings\\Local Settings\\Temp and C:\\DOCUME~1\\LOCALS~1\\Temp\\svchost.exe 1 in the registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsServicesStartup.


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

  The malware copies itself in
C:\\Documents and Settings\\<user>\\Local Settings\\Temp as svchost.exe and sets the (above mentioned) registry key
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsServicesStartup = "C:\\DOCUME~1\\LOCALS~1\\Temp\\svchost.exe 1".

  In order to allow only one instance of it to run at a time, it creates a mutex named TINYpUcE.

  It spreads through the shared folders of

Kazza,
Morpheus,
BearShare,
Edonkey2000,
LimeWire,
appleJuice,
Gnucleus,
ICQ, ... :

C:\\Program files\\emule\\incoming

D:\\Program files\\emule\\incoming

E:\\Program files\\emule\\incoming

C:\\Archivos de programa\\emule\\incoming

D:\\Archivos de programa\\emule\\incoming

E:\\Archivos de programa\\emule\\incoming

C:\\Program Files\\Kazaa Lite K++\\My Shared Folder

D:\\Program Files\\Kazaa Lite K++\\My Shared Folder Folder

E:\\Program Files\\Kazaa Lite K++\\My Shared Folder Folder

C:\\Program files\\KMD\\My Shared Folder

D:\\Program files\\KMD\\My Shared Folder

E:\\Program files\\KMD\\My Shared Folder

C:\\Program files\\KaZaA Lite\\My Shared Folder

D:\\Program files\\KaZaA Lite\\My Shared Folder
E:\\Program files\\KaZaA Lite\\My Shared Folder
C:\\Program files\\Morpheus\\My Shared Folder
D:\\Program files\\Morpheus\\My Shared Folder
E:\\Program files\\Morpheus\\My Shared Folder
C:\\Program files\\BearShare\\Shared
D:\\Program files\\BearShare\\Shared
E:\\Program files\\BearShare\\Shared
C:\\Program files\\Edonkey2000\\Incoming
D:\\Program files\\Edonkey2000\\Incoming
E:\\Program files\\Edonkey2000\\Incoming
C:\\Program files\\appleJuice\\incoming
D:\\Program files\\appleJuice\\incoming
E:\\Program files\\appleJuice\\incoming
C:\\Program files\\Gnucleus\\Downloads
D:\\Program files\\Gnucleus\\Downloads
E:\\Program files\\Gnucleus\\Downloads
C:\\Program files\\Grokster\\My Grokster
D:\\Program files\\Grokster\\My Grokster
E:\\Program files\\Grokster\\My Grokster
C:\\Program files\\ICQ\\shared files
D:\\Program files\\ICQ\\shared files
E:\\Program files\\ICQ\\shared files
C:\\Program files\\KaZaA\\My Shared Folder

D:\\Program files\\KaZaA\\My Shared Folder

E:\\Program files\\KaZaA\\My Shared Folder

C:\\Program files\\LimeWire\\Shared

D:\\Program files\\LimeWire\\Shared

E:\\Program files\\LimeWire\\Shared

C:\\Program files\\Overnet\\incoming

D:\\Program files\\Overnet\\incoming

E:\\Program files\\Overnet\\incoming

C:\\Program files\\Shareaza\\Downloads

D:\\Program files\\Shareaza\\Downloads

E:\\Program files\\Shareaza\\Downloads

C:\\Program files\\Swaptor\\Download

D:\\Program files\\Swaptor\\Download

E:\\Program files\\Swaptor\\Download

C:\\Program files\\WinMX\\My Shared Folder

D:\\Program files\\WinMX\\My Shared Folder

E:\\Program files\\WinMX\\My Shared Folder

C:\\Program files\\Tesla\\Files

D:\\Program files\\Tesla\\Files

E:\\Program files\\Tesla\\Files

C:\\Program files\\XoloX\\Downloads

D:\\Program files\\XoloX\\Downloads

E:\\Program files\\XoloX\\Downloads

C:\\Program files\\Rapigator\\Share

D:\\Program files\\Rapigator\\Share

E:\\Program files\\Rapigator\\Share

Other folders used for spreading are:

C:\\Download

D:\\Download E:\\Download
C:\\Incoming D:\\Incoming E:\\Incoming F:\\Incoming G:\\Incoming
C:\\My Downloads

D:\\My Downloads

E:\\My Downloads

C:\\My Shared Folder

D:\\My Shared Folder

E:\\My Shared Folder

 

  It copies itself in every (*.zip) or (*.rar) archive found in these folders and may rename the archive as follows:

    %filename%.zip to %filename% updated-fixed mm-yyyy.zip 
    %filename%.rar to %filename% updated-fixed mm-yyyy.rar

where mm is the current month and
         yyyy is the current year

   The malware can be found in these archives as Setup.exe, Install.exe or _Run_Me_First.exe.
It uses an empty control file named _trash.tmp to mark the infected archives. If this file exists, it does nothing to that archive.
   Otherwise, for zip files, it checks the existence of Setup.exe. If found, it inserts itself under the name Install.exe only if such a file does not exist.
  If there is also an Install.exe file, the name chosen for itself is _Run_Me_First.exe.

   For (*.rar) files only the checking of _trash.tmp is performed, the worm being copyed under the name setup.exe

   After infection, it creates a file named Log.txt and opens it with notepad, displaying the following text:

PRE-INSTALL v1.07
(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program
Enjoy!



Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources