My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2P.Dilly.A

MEDIUM
LOW
random (780 Kb - 15 Mb)

Symptoms

  • Presence of files named according to the following pattern in C: _undo_[date]_[time].bat (e.g.: C:\_undo_26-08-08_12-17-58.bat ).
  • Presence of files in the DC++ shared folders with a double extension ending in .SCR (e.g. .WMA.SCR, .AVI.SCR); the file names are randomly generated so as to resemble titles of pornographic movies.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Vlad Ioan Topan, virus researcher

Technical Description:

The worm is written in Delphi and has an original file size of 790,528 bytes. It spreads thorough the DC++ peer-to-peer network by copying itself to the DC++ shared folders using randomly generated file names which resemble pornographic movie titles and a double extension which ends in .SCR.

The worm locates the DC++ client folder using the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Magnet\Handlers\DC++, which has a value called ShellExecute containing the path to DCPlusPlus.exe. It then opens the program's configuration file, DcPlusPlus.xml, which it expects to find in the Settings subfolder. From the coniguration file the worm retrieves the list of shared folders.

In the shared folders it has found, the worm stores copies of itself to which it appends random numbers of null bytes in order to better resemble genuine video files. It uses words from the following list to generate random names:

(full), hard, porn, ass, dildo, incest, pedo, fucked, piss, lesbi, girls, angels, r@ygold, preteen, lolita, sex, xxx, rape, bdsm, drunk, 11yo, 10yo. It then appends a fake .WMV, .AVI, .MPG, .MP4 or .MPEG extension and after it the real .SCR extension.

It also generates a "removal" script for all the copies of itself that it creates, which is an unusual behavior for a worm. The script is a batch file with the name generated using the following pattern: [root-folder]:\_undo_[date]_[time].bat. The script contains a delete command for each copy, such as: 

del "c:\shared\RAPE sex Girls R@YGOLD Xxx angels.MP4.scr"

The original copy of the worm deletes itself using a batch script.