My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.P2P.Puce.B

MEDIUM
LOW
aprox. 100 kb
(P2P-Worm.Win32.Kapucen.b, Worm:Win32/Puce.L, Win32.HLLW.Puce, W32.Ecup)

Symptoms

Following may indicate an infection with this malware:
  • presence of a file : %Temp%\svchost.exe
  • presence of a registry key used to start malware upon Windows start:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    WindowsServicesStartup = %Temp%\svchost.exe  1

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel RADU, virus researcher

Technical Description:

Win32.Worm.P2P.Puce.B is virus which spreads itself by infecting RAR and ZIP archives found on computer in predefined folders.

When first executed, it copies itself into %Temp%\svchost.exe and adds a key into the registry to auto-start itself : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServicesStartup = %Temp%\svchost.exe  1

This malware will then start searching for RAR and ZIP archives inside some predefined folders, on local C,D and E drives:
  • \Program files\emule\incoming
  • \Download
  • \Incoming
  • \Archivos de programa\emule\incoming
  • \Program Files\Kazaa Lite K++\My Shared Folder
  • \Program files\KMD\My Shared Folder
  • \Program files\KaZaA Lite\My Shared Folder
  • \Program files\Morpheus\My Shared Folder
  • \Program files\BearShare\Shared
  • \Program files\Edonkey2000\Incoming
  • \My Downloads
  • \My Shared Folder
  • \Program files\appleJuice\incoming
  • \Program files\Gnucleus\Downloads
  • \Program files\Grokster\My Grokster
  • \Program files\ICQ\shared files
  • \Program files\KaZaA\My Shared Folder
  • \Program files\LimeWire\Shared
  • \Program files\Overnet\incoming
  • \Program files\Shareaza\Downloads
  • \Program files\Swaptor\Download
  • \Program files\WinMX\My Shared Folder
  • \Program files\Tesla\Files
  • \Program files\XoloX\Downloads
  • \Program files\Rapigator\Share
  • \T

Win32.Worm.P2P.Puce.B injects itself inside the found archives using one of these names:
  • Setup.exe
  • Install.exe
  • _Run_Me_First.exe