Kaspersky Threats

Class

Platform

Description

Technical Details

This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes.

Installation

During installation the worm produces the following false error message concerning the archive extraction:

WinZip Self-Extractor, WinZip Self-Extractor header corrupt. Possible cause: bad disk or file transfer error.

Subsequently it writes itself into the Windows directory under the following name:

mrowyekdc.exe

This installation of the worm is then registered in the auto run key within the system registry:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  SVCHOST = %WindowsDir%mrowyekdc.exe

Spreading

The worm creates a folder named “User Files” in the Windows directory and writes itself into it under the following names:

Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Jamella’s Diablo 2 hero editor.exe
Warcraft 3 map hack.exe
Warcraft 3 stat hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
The Frozen Throne map hack.exe
Counterstrike hacks.exe
Counterstrike aim hack.exe

This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa:

 HKCUSoftwareKazaaLocalContent
  dir0 = 012345:%Windir%User Files
  DisableSharing = "0

As a result, the files contained in this folder become available for download to other users of P2P networks.

Spy function

The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm’s “owner” using an SMTP-server connection.

Miscellaneous

The worm checks the system’s date and time. If the month of the worm’s activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.

Class	P2P-Worm
Platform	Win32
Description	Technical Details This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes. *Installation* During installation the worm produces the following false error message concerning the archive extraction: Subsequently it writes itself into the Windows directory under the following name: mrowyekdc.exe This installation of the worm is then registered in the auto run key within the system registry: HKLMSoftwareMicrosoftWindowsCurrentVersionRun SVCHOST = %WindowsDir%mrowyekdc.exe *Spreading* The worm creates a folder named “User Files” in the Windows directory and writes itself into it under the following names: Starcraft + Broodwar 1.10 map hack.exe Starcraft + Broodwar 1.10 no-cd hack.exe Diablo 2 map hack.exe Diablo 2 no-cd hack.exe Jamella’s Diablo 2 hero editor.exe Warcraft 3 map hack.exe Warcraft 3 stat hack.exe Warcraft 3 no-cd hack.exe Warcraft 3 Frozen Throne map hack.exe Warcraft 3 Frozen Throne cd-cd hack.exe The Frozen Throne map hack.exe Counterstrike hacks.exe Counterstrike aim hack.exe This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa: HKCUSoftwareKazaaLocalContent dir0 = 012345:%Windir%User Files DisableSharing = "0 As a result, the files contained in this folder become available for download to other users of P2P networks. *Spy function* The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm’s “owner” using an SMTP-server connection. *Miscellaneous* The worm checks the system’s date and time. If the month of the worm’s activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.

P2P-Worm.Win32.Gotorm

Technical Details