Win32:Kapucen-B
Win32:Kapucen is a P2P spreading worm, also known as Win32/Puce or W32.ECup.
| Summary | |
|---|---|
| Type | Worm |
| Aliases | Win32/Puce, W32.ECup |
| VPS version | July 18, 2006 |
| Platform | Windows |
| Infection length | 106,496 bytes |
Description
Win32:Kapucen-B copies itself as %Temp dir%\svchost.exe and creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ WindowsServicesStartup = "%Temp dir%\svchost.exe 1"This entry launches the worm automatically every time Windows starts.
Win32:Kapucen-B then searches drives C, D and E for folders:
- \Program files\emule\incoming
- \Download
- \T chargement
- \Incoming
- \Archivos de programa\emule\incoming
- \Program Files\Kazaa Lite K++\My Shared Folder
- \Program files\KMD\My Shared Folder
- \Program files\KaZaA Lite\My Shared Folder
- \Program files\Morpheus\My Shared Folder
- \Program files\BearShare\Shared
- \Program files\Edonkey2000\Incoming
- \My Downloads
- \My Shared Folder
- \Program files\appleJuice\incoming
- \Program files\Gnucleus\Downloads
- \Program files\Grokster\My Grokster
- \Program files\ICQ\shared files
- \Program files\KaZaA\My Shared Folder
- \Program files\LimeWire\Shared
- \Program files\Overnet\incoming
- \Program files\Shareaza\Downloads
- \Program files\Swaptor\Download
- \Program files\WinMX\My Shared Folder
- \Program files\Tesla\Files
- \Program files\XoloX\Downloads
- \Program files\Rapigator\Share
and drives F, G for folder
- \Incoming
Win32:Kapucen-B copies itself into any ZIP or RAR archive in these folders as:
- Setup.exe
- Install.exe
- _Run_Me_First.exe
An infected archive may be copied to another folder and renamed as:
- "<archive name> updated-fixed [Month number]-[Day].zip"
- "<archive name> updated-fixed [Month number]-[Day].rar"
Win32:Kapucen-B then creates log.txt in the current folder and opens it with the default text viewer (mostly notepad). This file contains the following text:
PRE-INSTALL v1.07 (C) pUcE Software 2006 Pre-install has checked your config. Everything is ok, you can now run the setup program Enjoy!
Detection/Removal
avast! with VPS file dated on or after 18th July 2006 is able to detect this worm.
Viruse
Mitgliedschafts-Service
