Win32.Worm.P2P.Puce.G

Spreading: very low
Damage: very low
Size:
Discovered: 1970 Jan 01

SYMPTOMS:

The sudden appearance of a notepad application opening a text file with the following content:

PRE-INSTALL v1.07
(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program
Enjoy!   


TECHNICAL DESCRIPTION:

       This is a Peer-to-Peer (P2P) Worm that has multiple spreading mechanisms including popular file sharing applications such as Kazaa, Morpheus, Edonkey2000 or emule.

       When first executed the virus takes the following actions:
- copies itself in
C:\Documents and Settings\<user-name>\Local Settings\Temp as svchost.exe 
- sets the registry key
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsServicesStartup = C:\\DOCUME~1\\LOCALS~1\\Temp\\svchost.exe".
- executes the created file with "1" string as a command-line parameter

       Disguised as svchost.exe the malware starts the spreading process across local disks and local area network shares.

    Creates a text file  and opens it using a ShellExecute API with the "open" command. The text file's content is :

PRE-INSTALL v1.07
(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program
Enjoy!

In order to allow only one instance of it to run at a time, it creates a mutex named TINYpUcE
It spreads through the shared folders of the multiple P2P applications that may be one of the following::

D:\Program files\emule\incoming
C:\Program files\emule\incoming
E:\Program files\emule\incoming
C:\Download
D:\Download
E:\Download
C:\Incoming
D:\Incoming
E:\Incoming
F:\Incoming
G:\Incoming
C:\Archivos de programa\emule\incoming
D:\Archivos de programa\emule\incoming
E:\Archivos de programa\emule\incoming
C:\Program Files\Kazaa Lite K++\My Shared Folder
D:\Program Files\Kazaa Lite K++\My Shared Folder
E:\Program Files\Kazaa Lite K++\My Shared Folder
C:\Program files\KMD\My Shared Folder
D:\Program files\KMD\My Shared Folder
E:\Program files\KMD\My Shared Folder
C:\Program files\KaZaA Lite\My Shared Folder
D:\Program files\KaZaA Lite\My Shared Folder
E:\Program files\KaZaA Lite\My Shared Folder
C:\Program files\Morpheus\My Shared Folder
D:\Program files\Morpheus\My Shared Folder
E:\Program files\Morpheus\My Shared Folder
C:\Program files\BearShare\Shared
D:\Program files\BearShare\Shared
E:\Program files\BearShare\Shared
C:\Program files\Edonkey2000\Incoming
D:\Program files\Edonkey2000\Incoming
E:\Program files\Edonkey2000\Incoming
C:\My Downloads
D:\My Downloads
E:\My Downloads
C:\My Shared Folder
D:\My Shared Folder
E:\My Shared Folder
C:\Program files\appleJuice\incoming
D:\Program files\appleJuice\incoming
E:\Program files\appleJuice\incoming
C:\Program files\Gnucleus\Downloads
D:\Program files\Gnucleus\Downloads
E:\Program files\Gnucleus\Downloads
C:\Program files\Grokster\My Grokster
D:\Program files\Grokster\My Grokster
E:\Program files\Grokster\My Grokster
C:\Program files\ICQ\shared files
D:\Program files\ICQ\shared files
E:\Program files\ICQ\shared files
C:\Program files\KaZaA\My Shared Folder
D:\Program files\KaZaA\My Shared Folder
E:\Program files\KaZaA\My Shared Folder
C:\Program files\LimeWire\Shared
D:\Program files\LimeWire\Shared
E:\Program files\LimeWire\Shared
C:\Program files\Overnet\incoming
D:\Program files\Overnet\incoming
E:\Program files\Overnet\incoming
C:\Program files\Shareaza\Downloads
D:\Program files\Shareaza\Downloads
E:\Program files\Shareaza\Downloads
C:\Program files\Swaptor\Download
D:\Program files\Swaptor\Download
E:\Program files\Swaptor\Download
C:\Program files\WinMX\My Shared Folder
D:\Program files\WinMX\My Shared Folder
E:\Program files\WinMX\My Shared Folder
C:\Program files\Tesla\Files
D:\Program files\Tesla\Files
E:\Program files\Tesla\Files
C:\Program files\XoloX\Downloads
D:\Program files\XoloX\Downloads
E:\Program files\XoloX\Downloads
C:\Program files\Rapigator\Share
D:\Program files\Rapigator\Share
E:\Program files\Rapigator\Share


It copies itself in every (*.zip) or (*.rar) archive found in these folders and may rename the archive as follows:

    %filename%.zip to %filename% updated-fixed mm-yyyy.zip 
    %filename%.rar to %filename% updated-fixed mm-yyyy.rar

where mm is the current month and
         yyyy is the current year

   The malware can be found in these archives as Setup.exe, Install.exe or _Run_Me_First.exe.
It uses an empty control file named _trash.tmp to mark the infected archives. If this file exists, it does nothing to that archive.
   Otherwise, for zip files, it checks the existence of Setup.exe. If found, it inserts itself under the name Install.exe only if such a file does not exist.
   If there is also an Install.exe file, the name chosen for itself is _Run_Me_First.exe.


   For (*.rar) files only the checking of _trash.tmp is performed, the worm being copyed under the name setup.exe

Removal instructions:

Please let BitDefender disinfect your computer.

ANALYZED BY:

Mihai Cimpoesu, Virus Researcher