Symptoms
Following may indicate an infection with this malware:
- presence of a file : %Temp%\svchost.exe
- presence of a registry key used to start malware upon Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WindowsServicesStartup = %Temp%\svchost.exe 1
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Daniel RADU, virus researcher
Technical Description:
Win32.Worm.P2P.Puce.B is virus which spreads itself by infecting RAR and ZIP archives found on computer in predefined folders.
When first executed, it copies itself into
%Temp%\svchost.exe and adds a key into the registry to auto-start itself :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServicesStartup = %Temp%\svchost.exe 1
This malware will then start searching for RAR and ZIP archives inside some predefined folders, on local C,D and E drives:
- \Program files\emule\incoming
- \Download
- \Incoming
- \Archivos de programa\emule\incoming
- \Program Files\Kazaa Lite K++\My Shared Folder
- \Program files\KMD\My Shared Folder
- \Program files\KaZaA Lite\My Shared Folder
- \Program files\Morpheus\My Shared Folder
- \Program files\BearShare\Shared
- \Program files\Edonkey2000\Incoming
- \My Downloads
- \My Shared Folder
- \Program files\appleJuice\incoming
- \Program files\Gnucleus\Downloads
- \Program files\Grokster\My Grokster
- \Program files\ICQ\shared files
- \Program files\KaZaA\My Shared Folder
- \Program files\LimeWire\Shared
- \Program files\Overnet\incoming
- \Program files\Shareaza\Downloads
- \Program files\Swaptor\Download
- \Program files\WinMX\My Shared Folder
- \Program files\Tesla\Files
- \Program files\XoloX\Downloads
- \Program files\Rapigator\Share
- \T
Win32.Worm.P2P.Puce.B injects itself inside the found archives using one of these names:
- Setup.exe
- Install.exe
- _Run_Me_First.exe
SHARE
THIS ON