Worm:Win32/Silly_P2P.G is a worm that spreads via peer-to-peer networking, instant messaging programs, and removable drives. It may allow a remote attacker to perform denial-of-service attacks on remote systems and steal cached user names and passwords from the browser.
Installation
When run, Worm:Win32/Silly_P2P.G copies itself to the system as the following:
- C:\RECYCLER\S-1-5-21-<num1>-<num2>-<num3>-<num4>\glps.exe
where <num1>, <num2>, <num3>, and <num4> are random numbers, for example:
C:\RECYCLER\S-1-5-21-8312636133-5761189323-938025048-7311\glps.exe
It also creates the following registry entry so that its copy runs every time Windows starts:
Adds value: "Taskman"
With data: "C:\RECYCLER\S-1-5-21-<num1>-<num2>-<num3>-<num4>\glps.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also creates the mutex "roo_fejh__frg6roo3" to ensure that only one copy of itself is running at any given time.
Spreads Via...
Removable Drives
Worm:Win32/Silly_P2P.G may spread via removable drives by copying itself in the system as:
- <DRIVE>\RECYCLER\autorun.exe
It also creates the file autorun.ini in the root of the drive so that its copy is executed whenever the drive is accessed.
Peer-to-Peer (P2P) Networks
Worm:Win32/Silly_P2P.G may create copies of itself with random file names (for example, 524.exe) in the default share folders of the following P2P programs:
BearShare
DC++
eMule
iMesh
Kazaa
LimeWire
Shareaza
This action makes its copies available for download by other users of these programs.
Instant Messaging Programs
Worm:Win32/Silly_P2P.G may attempt to spread by sending an instant message to all of a user's contacts on MSN Messenger. The message contains a link to a copy of this worm. If a user's contact clicks on the link, a copy of the worm may be downloaded into the contact's computer.
Payload
Steals User Information
Worm:Win32/Silly_P2P.G may attempt to steal cached information, such as stored e-mail user names and passwords, for the current user from the following browsers:
The gathered information may then be sent to a remote attacker.
Performs Denial-of-Service (DoS) Attacks
Worm:Win32/Silly_P2P.G may open and listen in on a random TCP port, allowing a remote attacker to initiate performing a denial-of-service (DoS) attack on a remote system.
Additional Information
Worm:Win32/Silly_P2P.G injects code into explorer.exe. However, this part of its malware routine may not perform as intended, thus causing Explorer to crash.
Analysis by Patrik Vicol
