Computer threads and malicious software description



Category: Malware

Parameters: Size: 233472; Platform: W32

Short description drops different own copies in the donwload’s folders of Peer-to-Peer applications

Long description

The behavior of malware initially involves users of peer-to-peer (P2P) applications.

It checks for the presence of these P2P configuration files and configuration registry entries to find the name of the directory where the the downloaded files are stored:

%appdata%\morpheus ultra\morphconfig.ini

After that it looks for executable files of P2P applications and starts them:

%programfiles%\morpheus ultra\morpheus.exe

It checks the folder where LimeWire’s file are saved. The check of this directory for availability of BearShare, Morpheus, Morpheus Ultra and Shareaza applications is done after some of these executables files: bearshare.exe, morpheus.exe or shareaza.exe are started as a processes.

It creates hidden folder with the name "_" , where the folder for writing is placed by default.

To continue its activity, the dropper checks if %alluserstartup%\wmplayer.exe is started.

If NO it displays the following message and exits:

"Windows Media Player"
"Media player cannot play file codec is missing"

If YESА, it checks for the presence of some of the following files in the system folder:

p2pnetwork.exe csrrs.exe

If these files are not found, it drops and starts the file %windows%\b.exe.

It locks the following system tools to prevent the easy removing of its payload program:


When the mentioned above applications are started, the following message is displayed:

[application name]
"Another program is currently using this file"

СAfter that it drops won copy under name "yesyesyesyes.exe" in the new folder in already created folder "_".

It download the page:[removed]ads/page[random numbers]-mp3.php

It transfer the files to take the title of movies and music. After that it uses these name when creating own copy in the writing directory.