Your essential free software toolbox

SHARE
THIS ON

Win32.P2P.Tanked.B

MEDIUM

LOW

102,200 to 550,000 bytes

(Worm.P2P.Tanked.14 (Kaspersky) W32/Kwbot.worm.e (Mcafee) W32.Kwbot.C.Worm (Symantec))

Symptoms

Presence of the next file in %SYSTEM% folder:

Cmd32.exe

Presence of one or more of the next registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"CMD"="cmd32.exe"]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\"CMD"= "cmd32.exe"]
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\"CMD"= "cmd32.exe"]
[HKLM\Software\Microsoft\Windows\"CMD"="cmd32.exe"]
[HKLM\Software\Krypton]
[HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"="explorer.exe %SYSTEM%\cmd32.exe"]

where %SYSTEM% points to Windows\\System folder (WINNT\System32 on NT,2000,XP)

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

If you don't have BitDefender installed click here to download an evaluation version;

Make sure that you have the latest updates using BitDefender Live!;

Make the following changes in the windows registry:

Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
1. Select Run... from Start, then type regedit and press Enter;
2. Delete the following keys:
  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"CMD"="cmd32.exe"]
  [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\"CMD"= "cmd32.exe"]
  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\"CMD"= "cmd32.exe"]
  [HKLM\Software\Microsoft\Windows\"CMD"="cmd32.exe"]
  [HKLM\Software\Krypton]
  [HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"= "explorer.exe %SYSTEM%\cmd32.exe"]
  
  where %SYSTEM% points to Windows\System folder (WINNT\System32 on NT, 2000, XP)

Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.P2P.Tanked.B.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

This worm spreads through Kazaa and Imesh. Once executed, the worm will do the following:

Copies itself in %SYSTEM% folder as cmd32.exe

Sets the aforementioned registry keys.

Notes: the worm will set the key

[HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\"Shell"="explorer.exe %SYSTEM%\cmd32.exe"]

only if the installed OS is NT based (Windows NT, 2000, XP)

The entries of the registry key

[HKEY_LOCAL_MACHINE\Software\Krypton]

point to the copies of the worm.

3. It searches the registry for entries of Kazaa and Imesh to see if they are are installed. If they are installed, the worm will will do the following
- Create the folders (%WINDIR% points to Windows folder):
  
  %WINDIR%\UserTemp
  %WINDIR%\User32
  
  where it will place copies of itself under one or more of the following names:
  
  Battlefield1942_bloodpatch.exe
  Unreal2_bloodpatch.exe
  UT2003_bloodpatch.exe
  AquaNox2 Crack.exe
  NBA2003_crack.exe
  FIFA2003 crack.exe
  C&C Generals_crack.exe
  UT2003_keygen.exe
  UT2003_no cd (crack).exe
  Age of Empires 2 crack.exe
  Anno 1503_crack.exe
  C&C Renegade_crack.exe
  Diablo 2 Crack.exe
  Gothic 2 licence.exe
  GTA 3 Crack.exe
  GTA 3 patch (no cd).exe
  Hitman_2_no_cd_crack.exe
  Mafia_crack.exe
  Neverwinter_Nights_licence.exe
  NHL 2003 crack.exe
  WarCraft_3_crack.exe
  Splinter_Cell_Crack.exe
  Battlefield1942_keygen.exe
  Winamp 3.8.exe
  MediaPlayer Update.exe
  UT2003_patch.exe
  ACDSee 5.5.exe
  DivX Video Bundle 6.5.exe
  Global DiVX Player 3.0.exe
  QuickTime_Pro_Crack.exe
  KaZaA Lite (New).exe
  iMesh 3.7b (beta).exe
  iMesh 3.6.exe
  KaZaA Hack 2.5.0.exe
  DirectDVD 5.0.exe
  Flash MX crack (trial).exe
  Ad-aware 6.5.exe
  WinZip 9.0b.exe
  SmartFTP 2.0.0.exe
  ICQ Lite (new).exe
  ICQ Pro 2003b (new beta).exe
  ICQ Pro 2003a.exe
  AOL Instant Messenger.exe
  Download Accelerator Plus 6.1.exe
  Trillian 0.85 (free).exe
  MSN Messenger 5.2.exe
  Network Cable e ADSL Speed 2.0.5.exe
  mIRC 6.40.exe
  GetRight 5.0a.exe
  Pop-Up Stopper 3.5.exe
  Yahoo Messenger 6.0.exe
  KaZaA Speedup 3.6.exe
  Nero Burning ROM crack.exe
  WindowBlinds 4.0.exe
  Animated Screen 7.0b.exe
  Living Waterfalls 1.3.exe
  Matrix Screensaver 1.5.exe
  Popup Defender 6.5.exe
  Space Invaders 1978.exe
  SmartRipper v2.7.exe
  TweakAll 3.8.exe
  DVD Copy Plus v5.0.exe
  Serials 2003 v.8.0 Full.exe
  Zelda Classic 2.00.exe
  Need 4 Speed crack.exe
  Links 2003 Golf game (crack).exe
  Netfast 1.8.exe
  Guitar Chords Library 5.5.exe
  DVD Region-Free 2.3.exe
  Cool Edit Pro v2.55.exe
  Coffee Cup Free HTML 7.0b.exe
  Clone CD 5.0.0.3.exe
  Clone CD 5.0.0.3 (crack).exe
  Nimo CodecPack (new) 8.0.exe
  Business Card Designer Plus 7.9.exe
  Steinberg_WaveLab_5_crack.exe
  Hot Babes XXX Screen Saver.exe
  FreeRAM XP Pro 1.9.exe
  IrfanView 4.5.exe
  Audiograbber 2.05.exe
  WinOnCD 4 PE_crack.exe
  Final Fantasy VII XP Patch 1.5.exe
  BabeFest 2003 ScreenSaver 1.5.exe
  PalTalk 5.01b.exe
  DirectX Buster (all versions).exe
  DirectX InfoTool.exe
  Unreal2_crack.exe
  FlashGet 1.5.exe
  Babylon 3.50b reg_crack.exe
  mp3Trim PRO 2.5.exe
- In the registry keys:
  
  [HKEY_CURRENT_USER\Software\Kazaa\LocalContent\]
  [HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent\]
  
  it will create one of the registry entries (? represents a random number in the range 0..63)
  
  Dir? 012345:%WINDIR%\UserTemp
  Dir? 012345:%WINDIR%\User32
  
  and thus sharing copies of the worm within Kazaa and/or Imesh.

It opens a random TCP port and a random UDP port.

Connects to an IRC channel and waits for commands to be issued by an attacker. Thus, the attacker may:
- send private and system information from the infected system
- download files into the infected computer
- execute files onto the infected computer
- perform a DoS attack (Denial of Service) on an IP
- send the worm to other users