My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.P2P.Tanked.B

MEDIUM
LOW
102,200 to 550,000 bytes
(Worm.P2P.Tanked.14 (Kaspersky) W32/Kwbot.worm.e (Mcafee) W32.Kwbot.C.Worm (Symantec))

Symptoms

  • Presence of the next file in %SYSTEM% folder:

    Cmd32.exe

  • Presence of one or more of the next registry keys:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"CMD"="cmd32.exe"]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\"CMD"= "cmd32.exe"]
    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\"CMD"= "cmd32.exe"]
    [HKLM\Software\Microsoft\Windows\"CMD"="cmd32.exe"]
    [HKLM\Software\Krypton]
    [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"="explorer.exe %SYSTEM%\cmd32.exe"]

    where %SYSTEM% points to Windows\\System folder (WINNT\System32 on NT,2000,XP)
  • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following keys:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"CMD"="cmd32.exe"]
        [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\"CMD"= "cmd32.exe"]
        [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\"CMD"= "cmd32.exe"]
        [HKLM\Software\Microsoft\Windows\"CMD"="cmd32.exe"]
        [HKLM\Software\Krypton]
        [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"= "explorer.exe %SYSTEM%\cmd32.exe"]

        where %SYSTEM% points to Windows\System folder (WINNT\System32 on NT, 2000, XP)

    4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.P2P.Tanked.B.

    Analyzed By

    Patrik Vicol BitDefender Virus Researcher

    Technical Description:

    This worm spreads through Kazaa and Imesh. Once executed, the worm will do the following:
    1. Copies itself in %SYSTEM% folder as cmd32.exe

    2. Sets the aforementioned registry keys.

      Notes: the worm will set the key

      [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"="explorer.exe %SYSTEM%\cmd32.exe"]

      only if the installed OS is NT based (Windows NT, 2000, XP)

      The entries of the registry key

      [HKEY_LOCAL_MACHINE\Software\Krypton]

      point to the copies of the worm.

    3. 3. It searches the registry for entries of Kazaa and Imesh to see if they are are installed. If they are installed, the worm will will do the following
      • Create the folders (%WINDIR% points to Windows folder):

        %WINDIR%\UserTemp
        %WINDIR%\User32

        where it will place copies of itself under one or more of the following names:

        Battlefield1942_bloodpatch.exe
        Unreal2_bloodpatch.exe
        UT2003_bloodpatch.exe
        AquaNox2 Crack.exe
        NBA2003_crack.exe
        FIFA2003 crack.exe
        C&C Generals_crack.exe
        UT2003_keygen.exe
        UT2003_no cd (crack).exe
        Age of Empires 2 crack.exe
        Anno 1503_crack.exe
        C&C Renegade_crack.exe
        Diablo 2 Crack.exe
        Gothic 2 licence.exe
        GTA 3 Crack.exe
        GTA 3 patch (no cd).exe
        Hitman_2_no_cd_crack.exe
        Mafia_crack.exe
        Neverwinter_Nights_licence.exe
        NHL 2003 crack.exe
        WarCraft_3_crack.exe
        Splinter_Cell_Crack.exe
        Battlefield1942_keygen.exe
        Winamp 3.8.exe
        MediaPlayer Update.exe
        UT2003_patch.exe
        ACDSee 5.5.exe
        DivX Video Bundle 6.5.exe
        Global DiVX Player 3.0.exe
        QuickTime_Pro_Crack.exe
        KaZaA Lite (New).exe
        iMesh 3.7b (beta).exe
        iMesh 3.6.exe
        KaZaA Hack 2.5.0.exe
        DirectDVD 5.0.exe
        Flash MX crack (trial).exe
        Ad-aware 6.5.exe
        WinZip 9.0b.exe
        SmartFTP 2.0.0.exe
        ICQ Lite (new).exe
        ICQ Pro 2003b (new beta).exe
        ICQ Pro 2003a.exe
        AOL Instant Messenger.exe
        Download Accelerator Plus 6.1.exe
        Trillian 0.85 (free).exe
        MSN Messenger 5.2.exe
        Network Cable e ADSL Speed 2.0.5.exe
        mIRC 6.40.exe
        GetRight 5.0a.exe
        Pop-Up Stopper 3.5.exe
        Yahoo Messenger 6.0.exe
        KaZaA Speedup 3.6.exe
        Nero Burning ROM crack.exe
        WindowBlinds 4.0.exe
        Animated Screen 7.0b.exe
        Living Waterfalls 1.3.exe
        Matrix Screensaver 1.5.exe
        Popup Defender 6.5.exe
        Space Invaders 1978.exe
        SmartRipper v2.7.exe
        TweakAll 3.8.exe
        DVD Copy Plus v5.0.exe
        Serials 2003 v.8.0 Full.exe
        Zelda Classic 2.00.exe
        Need 4 Speed crack.exe
        Links 2003 Golf game (crack).exe
        Netfast 1.8.exe
        Guitar Chords Library 5.5.exe
        DVD Region-Free 2.3.exe
        Cool Edit Pro v2.55.exe
        Coffee Cup Free HTML 7.0b.exe
        Clone CD 5.0.0.3.exe
        Clone CD 5.0.0.3 (crack).exe
        Nimo CodecPack (new) 8.0.exe
        Business Card Designer Plus 7.9.exe
        Steinberg_WaveLab_5_crack.exe
        Hot Babes XXX Screen Saver.exe
        FreeRAM XP Pro 1.9.exe
        IrfanView 4.5.exe
        Audiograbber 2.05.exe
        WinOnCD 4 PE_crack.exe
        Final Fantasy VII XP Patch 1.5.exe
        BabeFest 2003 ScreenSaver 1.5.exe
        PalTalk 5.01b.exe
        DirectX Buster (all versions).exe
        DirectX InfoTool.exe
        Unreal2_crack.exe
        FlashGet 1.5.exe
        Babylon 3.50b reg_crack.exe
        mp3Trim PRO 2.5.exe


      • In the registry keys:

        [HKEY_CURRENT_USER\Software\Kazaa\LocalContent\]
        [HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent\]

        it will create one of the registry entries (? represents a random number in the range 0..63)

        Dir? 012345:%WINDIR%\UserTemp
        Dir? 012345:%WINDIR%\User32

        and thus sharing copies of the worm within Kazaa and/or Imesh.


    4. It opens a random TCP port and a random UDP port.


    5. Connects to an IRC channel and waits for commands to be issued by an attacker. Thus, the attacker may:
      • send private and system information from the infected system

      • download files into the infected computer

      • execute files onto the infected computer

      • perform a DoS attack (Denial of Service) on an IP

      • send the worm to other users