Click anywhere to stop


Detect Date 06/26/2009
Class P2P-Worm
Platform Win32

In order to simulate legitimacy, the worm’s file contains dummy information about the file:

The worm locates a process corresponding to a window with the class “Progman” (this is how the malware finds the “explorer.exe” process) and injects its code into this process, then ceases running.

The malicious code injected into this process is installed and performs backdoor functionality. To do this, it connects to the remote hosts:






Following a command from the malicious user, the worm can perform the following actions:

  1. Download files to the infected computer and launch them for execution. The downloaded files are saved in the user’s temporary folder under random names:

    where <rnd> is a random number.

    It can save the downloaded files under the names “Crack.exe” and “Keygen.exe” to P2P network file sharing directories located on the local machine. It can also save them in the following directory:

    %ALLUSERSPROFILE%Local SettingsApplication DataAresMy Shared Folder

    It obtains the names of P2P network file sharing directories by analyzing the parameters of these system registry keys:

    [HKCUSoftwareMicrosoftWindowsCurrentVersionUninstalleMule Plus_is1]
  2. Change the content of the “hosts” file:

    This means that it can block access to the Internet resources visited by the user, or redirect the user to other resources.

  3. Conduct a DoS attack on a server specified by the malicious user.
  4. Copy the worm’s body to all write-accessible network and removable drives.

    It also places the accompanying file shown below in the root of every disk:


    where <X> is the letter of the network drive or removable disk. At the same time, it assigns “hidden” and “system” attributes to the copies of the worm.

    This file launches the executable file from the copy of the worm each time the user accesses the infected disk using Explorer.

  5. Send the names of the Internet resources and their passwords to the malicious user’s address when the user uses the following browsers:
    Mozilla Firefox
    Internet Explorer

At the time of writing, the worm downloaded its updated version from the following URL, then launched it for execution:


Find out the statistics of the threats spreading in your region