Effects
P2PShared.AV carries out the following actions:
- It reduces the protection level of the computer, as:
- it stops several security services, like the Error Reporting Service and the Windows Security Center Service.
- It disables the notifications of the User Account Control (UAC) service. It is a security feature of Windows 7/Vista operating systems which informs users when a program makes changes that require administrator permission.
- It modifies the security policies of the user's accounts, disabling the Least-Privileged User Account (LUA). - It injects itself into the EXPLORER.EXE process in order to avoid being detected.
- It connects to the following websites to download updates of itself:
http://eld<blocked>ox.com
http://topi<blocked>bur.com - It connects to a certain website in order to obtain the public IP address of the affected computer.
- It attempts to establish connections with other website in order to solicitar datos del ordenador.
- In Firefox browsers, it redirects to other website with malicious intentions websites accessed by users which are related to search engines.
- The affected websites contain any of the following text strings:
aol.com/aol/search?s_it
ask.com
bing.com
google.com
search - And the website to which users are redirected is: http://ruk<blocked>r.com/request.php?aid=blackout
- When users enter certain words in the browser (Internet Explorer, Chrome, Firefox y Opera), it displays advertising websites related to them.
- The keywords are the following:
airlines
amazon
antivir
antivirus
baseball
books
casino
cialis
cigarettes
comcast
craigslist
credit
dating
design
doctor
estate
fashion
finance
flights
flower
footbal
football
gambling
gifts
graphic
health
hotel
insurance
iphone
loans
medical
military
mobile
money
mortgage
movie
music
myspace
pharma
pocker
poker
school
software
sport
spybot
spyware
trading
tramadol
travel
twitter
verizon
video
virus
vocations
wallpaper
weather
Infection strategy
P2PShared.AV creates the following directories:
- a folder with a random name in the folder Mozilla Firefox\extensions of the Program Files directory. The following is an example: {9CE11043-9A15-4207-A565-0C94C42D590D}.
- SystemProc in the folder Application Data of the Documents and Settings directory of the user that has logged in.
P2PShared.AV creates the following files:
- GOOGLEOVERLAY.EXE, in the Windows system directory.
- LSASS.EXE, in the folder SystemProc, created by itself, in the folder Application Data of the Documents and Settings directory of the user that has logged in.
- CHROME.MANIFEST, INSTALL.RDF and TIMER.XUL, in the folder created by itself in the folder Mozilla Firefox\extensions of the Program Files directory.
The file TIMER.XUL redirects certain web addresses to other website.
P2PShared.AV creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
GoogleUpdater01 = %sysdir%\GoogleOverlay.exe
where %sysdir% is the Windows system directory. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
\Explorer\Run
RTHDBPL = C:\Documents and Settings\%username%\Datos de programa\SystemProc\lsass.exe [- Random characters -]
where %username% is the username of the user that has logged in.
By creating this entry, P2PShared.AV ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UACDisableNotify = 01, 00, 00, 00
It disables the notifications displayed by the User Account Control service. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA = 00, 00, 00, 00
It disables the security policies of the user's accounts. - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
%sysdir%\GoogleOverlay.exe = %sysdir%\GoogleOverlay.exe:*:Enabled:Explorer
It adds itself to the list of the authorized applications by the Windows firewall. - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
DeleteFlag = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
FailureActions = 0A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B8, 0B, 00, 00
By creating these two entries, it modifies the features of the Error Reporting Service. - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
DeleteFlag = 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
FailureActions = 0A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B8, 0B, 00, 00
By creating these two entries, it modifies the features of the Windows Security Center.
P2PShared.AV modifies the following Windows Registry entries, in order to stop the Error Reporting Service and the Windows Security Center service respectively:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Start = 02, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Start = 04, 00, 00, 00 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start = 02, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
Start = 04, 00, 00, 00
Means of transmission
P2PShared.AV uses the following means to spread:
1. (P2P) file sharing programs.
It follows the routine below:
- It creates copies of itself in the shared directories belonging to the following programs:
- BearShare
- Edonkey2000
- Emule
- Grokster
- Icq
- Kazaa
- Limewire
- Tesla
- Winmx - It is copied using the following names:
[]
[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe, [antihack tool] Trojan Killer v2.9.4173.exe, [Eni0j0 team] Vmvare keygen.exe, [Eni0j0 team] Windows 7 Ultimate keygen.exe, [fixed]RapidShare Killer AIO 2010.exe, [patched serial not need] Nero 9.x keygen.exe, [patched serial not needed] Absolute Video Converter 6.2-7.exe, [patched serial not needed] PDF to Word Converter 3.4.exe, [patched serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
A
Ad-aware 2010.exe, Adobe Acrobat Reader keygen.exe, Adobe Illustrator CS4 crack.exe, Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe, Alcohol 120 v1.9.x.exe, Anti-Porn v13.x.x.x.exe, AnyDVD HD v.6.3.1.8 Beta incl crack.exe, AOL Instant Messenger (AIM) Hacker.exe, AOL Password Cracker.exe, Ashampoo Snap 3.xx [Skarleot Group].exe, Avast 4.x Professional.exe, Avast 5.x Professional.exe
B
BitDefender AntiVirus 2010 Keygen.exe, Blaze DVD Player Pro v6.52.exe, Brutus FTP Cracker.exe
C
CleanMyPC Registry Cleaner v6.02.exe, Counter-Strike Serial key generator [Miona patch].exe
D
Daemon Tools Pro 4.8.exe, DCOM Exploit archive.exe, DivX 5.x Pro KeyGen generator.exe, Divx Pro 7.x version Keymaker.exe, Download Accelerator Plus v9.2.exe, Download Boost 2.0.exe, DVD Tools Nero 10.x.x.x.exe
F
FTP Cracker.exe
G
G-Force Platinum v3.7.6.exe, Google SketchUp 7.1 Pro.exe, Grand Theft Auto IV [Offline Activation + mouse patch].exe
H
Half-Life 2 Downloader.exe, Hotmail Cracker [Brute method].exe, Hotmail Hacker [Brute method].exe
I
ICQ Hacker Trial version [brute].exe, Image Size Reducer Pro v1.0.1.exe, Internet Download Manager V5.exe, IP Nuker.exe
K
Kaspersky AntiVirus 2010 crack.exe, Kaspersky Internet Security 2010 keygen.exe, Keylogger unique builder.exe, K-Lite Mega Codec v5.2 Portable.exe, K-Lite Mega Codec v5.2.exe
L
L0pht 4.0 Windows Password Cracker.exe, LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
M
Magic Video Converter 8.exe, McAfee Total Protection 2010 [serial patch by AnalGin].exe, Microsoft Visual Basic KeyGen.exe, Microsoft Visual C++ KeyGen.exe, Microsoft Visual Studio KeyGen.exe, Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe, Motorola, nokia, ericsson mobil phone tools.exe, Mp3 Splitter and Joiner Pro v3.48.exe, MSN Password Cracker.exe, Myspace theme collection.exe
N
NetBIOS Cracker.exe, NetBIOS Hacker.exe, Norton Anti-Virus 2005 Enterprise Crack.exe, Norton Anti-Virus 2010 Enterprise Crack.exe, Norton Internet Security 2010 crack.exe
P
Password Cracker.exe, PDF password remover (works with all acrobat reader).exe, Power ISO v4.4 + keygen milon.exe
R
Rapidshare Auto Downloader 3.8.6.exe
S
sdbot with NetBIOS Spread.exe, Sophos antivirus updater bypass.exe, Sub7 2.5.1 Private.exe, Super Utilities Pro 2009 11.0.exe
T
Total Commander7 license+keygen.exe, Tuneup Ultilities 2010.exe, Twitter FriendAdder 2.3.9.exe
U
UT 2003 KeyGen.exe, VmWare 7.x keygen.exe
W
Website Hacker.exe, Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe, Windows 2008 Enterprise Server VMWare Virtual Machine.exe, Windows Password Cracker + Elar3 key.exe, Windows2008 keygen and activator.exe, WinRAR v3.x keygen [by HiXem].exe
Y
Youtube Music Downloader 1.3.exe, YouTubeGet 5.6.exe - Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers.
2. Email messages
It reaches the computer attached to an email message like the following, passing itself off as a Hallmark card:
3. Removable drives
It makes copies of itself using the name REDMOND.EXE in the path Recycler\S-%randon number% of the removable devices connected to the computer, like USB keys. Additionally, it creates an AUTORUN.INF file in these drives, so that the worm is automatically run whenever any of them is accessed.
Further Details
P2PShared.AV is written in the programming language Visual Basic v6.0. This worm is 643,072 bytes in size.