W32/Duni.A

Analysis

• Virus is 32bit, with a size of 236,032 bytes and is UPX compressed
  
• Virus writes a copy of itself to both the root of drive C: and to the Windows folder, then modifies the registry to run at Windows startup - the file name used will be a random name made of numbers with a .CPL extension such as "2392.cpl", as in this example -

  HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run
  2392 = rundll32.exe
  shell32.dll,Control_RunDLL C:\WINDOWS\2392.cpl

• Virus may spread via email or within the Kazaa network
  

  • Virus determines the location of Kazaa shared files, creates numerous files in that folder with suggestive names such that users searching for similar names might locate them and ultimately download and run them -

    AgeOfEmpires2_Crack.cpl
    AllMcAfeeCrack.Cpl
    AnalPasswords.cpl
    AVP_KeyActualization2002.ZIP.(numerous spaces)cpl
    AVP_Spanish.cpl
    AXEbahia.cpl
    B.cpl
    BinladenFuckinBillGates.cpl
    BioHazard.cpl
    Britney_spearsVSDavidBeckham_AnalPasions.cpl
    Crack.PerAntivirus.Zip.(numerous spaces)cpl
    DivResidentEvil.ZIP.cpl
    ElvisDesktop.cpl
    fullvideo_anal_action.zIP.(numerous spaces)cpl
    GameCube.Zip.(numerous spaces)cpl
    Hacking.cpl
    HardXCore.cpl
    JamieThomasVSrodneyMullen.cpl
    LagWagon&Blink182.cpl
    Mames.Zip.cpl.?Crack_Delphi5and6.Zip.(numerous spaces)cpl
    MariguanaDesktop.cpl
    Messenger_skins.ZIP.(numerous spaces)cpl
    muertes_videos.cpl
    NewVideo_Blink182.cpl
    NuevosVideosProfesorRossa.cpl
    PhotoShop6.xCrack.cpl
    Porno_sTar.cpl.:CannibalCorpse.MP3.(numerous spaces)cpl
    PSX2_Emulation.Zip.(numerous spaces)cpl
    PSX2EmulatorFree.Zip.(numerous spaces)cpl
    sexo_anal_full_video.cpl
    sexo_en_la_calle.cpl
    sexo_oriental_full_video.cpl
    Sickofitall.Zip.(numerous spaces)cpl
    SpidermanDesktop.cpl
    terminator2.cpl
    VideoPortoSeguro.cpl
    VisualBasic.Net.cpl
    Z.cpl
    Zidane.Taliban.cpl
    ZoneAlarmCrack.cpl

  • Virus contains instructions to gather email addresses from MSN Messenger contact names and sends a copy of the virus to those addresses using SMTP - the subject line may be something in a Spanish languagee, and file attachments may be one of these names-

    788782.cpl
    Adulterio_en_tus_narices.cpl
    analpasswords.cpl
    billgatesscream.cpl
    binladenDT.cpl
    como_como.cpl
    comoolvidarte.cpl
    Cristo.cpl
    cristo2002.cpl
    estesoyyo.cpl
    Fifaladen.cpl
    gooooooool.cpl
    jack.cpl
    listado_de_hoaxes.cpl
    listado_de_porquerias.cpl
    lomasimportante.cpl
    mcaffehoaxlist.cpl
    mentiras_en_hotmail.cpl
    mentiras_mails.cpl
    milposiciones.cpl
    milvidas.cpl
    mundial.cpl
    paulinasex.cpl
    poema_angelical.cpl
    por_ahi_noooooo.cpl
    portymore.cpl
    postal_de_mi_alma.cpl
    quien_como_tu.cpl
    scarycrai.cpl
    secretarias.cpl
    sere_yo_uno_de_esos.cpl
    sickofitall.cpl
    siemprevivir@setnet.cpl
    test_secretontas.cpl
    testdeamor.cpl
    tetris2002.cpl
    vidaymuerte.cpl
    zandias_meloones.cpl
    zapato_en_el_culo.cpl
    zorrita.cpl

• Virus name or aliases are derived from strings found in the virus-

  "unidadworm"
  "kiltro2.dll"