-----Original Message----- From: info@xxxxxx [mailto:info@xxxxxx] Sent: Thursday, August 22, 2002 7:39 PM To: avp-info-list@xxxxxx Subject: [metro.ch: ML KAV.ch info] August 22 2002 (2): Worm Advisory - "Duload" Kaspersky Antivirus (KAV) Newsletter, August 22 2002 (2) ---------------------------------------------------------------------- (c) Metropolitan Network BBS Inc., www.metro.ch In this issue: 1.) Network worm advisory - "Duload" ---------------------------------------------------------------------- 1.) Network worm advisory - "Duload" Kaspersky Labs reports the detection of the network worm "Duload", which is spreading across the KaZaA file-exchange network. Presently Kaspersky Labs has already received several registered instances of infection in Italy. The worm is a Windows (PE EXE) attachment written in Visual Basic. Currently two variants of the Duload worm are known, each having a different file size: Worm.P2P.Duload.a - 18432 bytes Worm.P2P.Duload.b - 7680 bytes (Compressed with UPX utility) If the infected attachment is accidentally opened "Duload" copies itself to the Windows system directory under the name "SystemConfig.exe" and modifies the system registry so that this file automatically loads each time Windows is started. Next, the Duload worm creates a folder in the Windows directory called "Media" and copies itself to this directory under 39 different names. Such as: Pamela Anderson And Tommy Lee Home Video.exe Alicia Silverstone Payboy Nude.exe Kama Sutra Tetris.exe Soldier Of Fortune 2 Mutiplayer Serial Hack.exe The Sims Game Crack.exe Warcraft 3 Battle.net Crack.exe "Duload" then once again modifies the system registry in order to make the "Media" folder accessible to all other KaZaA network users. One modification of the worm (Worm.P2P.Duload.a) also downloads from an Internet site several Trojan programs designed to establish unauthorized remote management of victim computers. Detection of this malware has already been added to the anti-virus database. ---------------------------------------------------------------------- Note: you received this email posting because you subscribed your email address to this email list. You can unsubscribe anytime at: http://www.kav.ch/E/mnserv.htm Report abuse at http://www.kav.ch/E/feedback.htm ---------------------------------------------------------------------- Metropolitan Network BBS Inc. * Switzerland * www.metro.ch Kaspersky Antivirus: www.kav.ch eset NOD32: www.nod32.ch *NEW*