P2P-Worm.Win32.Gotorm

Class P2P-Worm
Platform Win32
Description

Technical Details

This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes.

Installation

During installation the worm produces the following false error message concerning the archive extraction:

WinZip Self-Extractor, WinZip Self-Extractor header corrupt. Possible cause:  bad disk or file transfer error.

Subsequently it writes itself into the Windows directory under the following name:

mrowyekdc.exe

This installation of the worm is then registered in the auto run key within the system registry:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  SVCHOST = %WindowsDir%mrowyekdc.exe

Spreading

The worm creates a folder named “User Files” in the Windows directory and writes itself into it under the following names:

Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Jamella’s Diablo 2 hero editor.exe
Warcraft 3 map hack.exe
Warcraft 3 stat hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
The Frozen Throne map hack.exe
Counterstrike hacks.exe
Counterstrike aim hack.exe

This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa:

 HKCUSoftwareKazaaLocalContent
  dir0 = 012345:%Windir%User Files
  DisableSharing = "0

As a result, the files contained in this folder become available for download to other users of P2P networks.

Spy function

The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm’s “owner” using an SMTP-server connection.

Miscellaneous

The worm checks the system’s date and time. If the month of the worm’s activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.