W32/Duni.A
Analysis
- Virus is 32bit, with a size of 236,032 bytes and
is UPX compressed
- Virus writes a copy of itself to both the root
of drive C: and to the Windows folder, then modifies
the registry to run at Windows startup - the file
name used will be a random name made of numbers with
a .CPL extension such as "2392.cpl", as
in this example -
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
2392 = rundll32.exe
shell32.dll,Control_RunDLL C:\WINDOWS\2392.cpl -
Virus may spread via email or within the Kazaa network
- Virus determines the location of Kazaa shared
files, creates numerous files in that folder with
suggestive names such that users searching for
similar names might locate them and ultimately
download and run them -
AgeOfEmpires2_Crack.cpl
AllMcAfeeCrack.Cpl
AnalPasswords.cpl
AVP_KeyActualization2002.ZIP.(numerous spaces)cpl
AVP_Spanish.cpl
AXEbahia.cpl
B.cpl
BinladenFuckinBillGates.cpl
BioHazard.cpl
Britney_spearsVSDavidBeckham_AnalPasions.cpl
Crack.PerAntivirus.Zip.(numerous spaces)cpl
DivResidentEvil.ZIP.cpl
ElvisDesktop.cpl
fullvideo_anal_action.zIP.(numerous spaces)cpl
GameCube.Zip.(numerous spaces)cpl
Hacking.cpl
HardXCore.cpl
JamieThomasVSrodneyMullen.cpl
LagWagon&Blink182.cpl
Mames.Zip.cpl.?Crack_Delphi5and6.Zip.(numerous spaces)cpl
MariguanaDesktop.cpl
Messenger_skins.ZIP.(numerous spaces)cpl
muertes_videos.cpl
NewVideo_Blink182.cpl
NuevosVideosProfesorRossa.cpl
PhotoShop6.xCrack.cpl
Porno_sTar.cpl.:CannibalCorpse.MP3.(numerous spaces)cpl
PSX2_Emulation.Zip.(numerous spaces)cpl
PSX2EmulatorFree.Zip.(numerous spaces)cpl
sexo_anal_full_video.cpl
sexo_en_la_calle.cpl
sexo_oriental_full_video.cpl
Sickofitall.Zip.(numerous spaces)cpl
SpidermanDesktop.cpl
terminator2.cpl
VideoPortoSeguro.cpl
VisualBasic.Net.cpl
Z.cpl
Zidane.Taliban.cpl
ZoneAlarmCrack.cpl -
Virus contains instructions to gather email addresses from MSN Messenger contact names and sends a copy of the virus to those addresses using SMTP - the subject line may be something in a Spanish languagee, and file attachments may be one of these names-
788782.cpl
Adulterio_en_tus_narices.cpl
analpasswords.cpl
billgatesscream.cpl
binladenDT.cpl
como_como.cpl
comoolvidarte.cpl
Cristo.cpl
cristo2002.cpl
estesoyyo.cpl
Fifaladen.cpl
gooooooool.cpl
jack.cpl
listado_de_hoaxes.cpl
listado_de_porquerias.cpl
lomasimportante.cpl
mcaffehoaxlist.cpl
mentiras_en_hotmail.cpl
mentiras_mails.cpl
milposiciones.cpl
milvidas.cpl
mundial.cpl
paulinasex.cpl
poema_angelical.cpl
por_ahi_noooooo.cpl
portymore.cpl
postal_de_mi_alma.cpl
quien_como_tu.cpl
scarycrai.cpl
secretarias.cpl
sere_yo_uno_de_esos.cpl
sickofitall.cpl
siemprevivir@setnet.cpl
test_secretontas.cpl
testdeamor.cpl
tetris2002.cpl
vidaymuerte.cpl
zandias_meloones.cpl
zapato_en_el_culo.cpl
zorrita.cpl
- Virus determines the location of Kazaa shared
files, creates numerous files in that folder with
suggestive names such that users searching for
similar names might locate them and ultimately
download and run them -
- Virus name or aliases are derived from strings
found in the virus-
"unidadworm"
"kiltro2.dll"