For Home

Virus Profile: W32/Generic.c!p2p

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/12/2005
Date Added: 4/20/2004
Origin: Unknown
Length: Varies
Type: Virus
Subtype: Peer To Peer
DAT Required: 6916
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of above mentioned files activities.

Methods of Infection

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
   

Virus Characteristics


-------Updated on Dec 7, 2012----------------


W32/Generic.c!p2p” opens a IRC bot server in order to receive instruction from a remote attacker. It also creates a firewall rule for the dropped file using netsh in order to bypass normal authentication and to issue commands to control the compromised machines without user knowledge.

W32/Generic.c!p2p” also redirect the Windows software trace preprocessor (WPP) that traces driver operation to direct trace output to the console instead of an event trace log.

The worm checks for the following peer2peer applications in order to spread itself.

  •     Frostwire
  •     Limewire
  •     Bearshare
  •     shareaza
  •     winmx
  •     tesla
  •     Morpheus
  •     Emule
  •     edonkey2000
  •     grokster
  •     kazaa lite k++
  •     kazaa lite
The worm may also download other payload using FTP, the following are the FTP commands

  •     FtpPutFileA
  •     FtpGetFileA

The following are the command used by the worm to collected infected system information and sends to the remote attacker through remote port 7000

  •     getpeername
  •     gethostbyname
  •     gethostname
  •     getsockname
  •     GetComputerNameA
The following are the Captured IRC traffic.

  •     USER MCAFEE * 0 MCAFEE
  •     NICK MCAFEE
  •     PASS MCAFEE
  •     Leaving
  •     QUIT
  •     QUIT MCAFEE
  •     PONG MCAFEE
  •     PING
  •     NICK
  •     PRIVMSG
  •     NOTICE
  •     QUIT
  •     PART
  •     JOIN

Upon execution the worm tries to connect the following URL through remote port 53

  •     Scov[Removed]rt.com
  •     204.13. [Removed].107
  •     host204-13-[Removed]07.oversee.net
The Worm also copies itself into the below location:
  • %AppData%\msnmengers.exe
  • : [RemovableDrive]\SYSTEM\WINDOWS\autorunme.exe
  • : [RemovableDrive]\autorun.inf


And the Worm drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.[autorun]

  • open=SYSTEM\WINDOWS\autorunme.exe
  • icon=%SystemRoot%\system32\SHELL32.dll,4
  • action=Open folder to view files
  • shell\open=Open
  • shell\open\command=SYSTEM\WINDOWS\autorunme.exe
  • shell\open\default=1

The following registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\napagent\LocalConfig\UI
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI


The following registry key values have been added to the system:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"


The above registry key value confirms that the worm disables the file tracing. 


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ASFH: "msnmengers.exe"


The above mentioned registry key value confirms that the worm registers with the compromised system and executes itself upon every boot.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\

 

  • Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
  • BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
  • LogSessionName: "stdout"
  • Active: 0x00000001
  • ControlFlags: 0x00000001


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\

 

  • Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
  • BitNames: " Error Unusual Info Debug"
  • LogSessionName: "stdout"
  • Active: 0x00000001
  • ControlFlags: 0x00000001


The above registries confirms that the worm creates additional values and related data that may redirect the Windows software trace preprocessor (WPP) that traces driver operation to direct trace output to the console instead of an event trace log.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%UserProfile%\Desktop\svchosts.exe: "%UserProfile%\Desktop\svchosts.exe:*:Enabled:3ASFH"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%UserProfile%\Desktop\svchosts.exe: "%UserProfile%\Desktop\svchosts.exe:*:Enabled:3ASFH"


The above registry ensures that the Worm creates a firewall rule to bypass the normal authentication and it may allow the remote attacker to issue commands to control the compromised machines without user knowledge.


The Worm creates Mutex in the following name:

  • ChangeMe
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).