Win32/Peerfrag [Threat Name] go to Threat

Win32/Peerfrag.FM [Threat Variant Name]

Category worm
Size 188416 B
Detection created Dec 10, 2009
Detection database version 4677
Aliases P2P-Worm.Win32.Palevo.kxw (Kaspersky)
  Trojan:Win32/Meredrop (Microsoft)
  W32/Worm.AXQX (F-Prot)
Short description

Win32/Peerfrag.FM is a worm that spreads via P2P networks. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm creates the following folder:

  • %systemdrive%\­RECYCLER\­S-1-5-21-%variable%\­

A string with variable content is used instead of %variable% .


The following files are dropped in the same folder:

  • wnzip32.exe (188416 B)
  • Desktop.ini

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "%systemdrive%\­S-1-5-21-%variable%\­wnzip32.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe,%systemdrive%\­S-1-5-21-%variable%\­wnzip32.exe"
Spreading

The worm creates the following folders:

  • %drive%\­system32\­

The following files are dropped in the same folder:

  • autorun.exe (188416 B)
  • Desktop.ini

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading via P2P networks

Win32/Peerfrag.FM is a worm that spreads via P2P networks.


The worm searches for shared folders of the following programs:

  • Ares Galaxy
  • BearShare
  • DC++
  • eMule
  • eMule Plus
  • iMesh
  • Kazaa
  • LimeWire
  • Shareaza

It tries to place a copy of itself into the folders.

Spreading via IM networks

The worm sends links to MSN Messenger users.


If the link is clicked a copy of the worm is downloaded.

Other information

The worm acquires data and commands from a remote computer or the Internet. It can be controlled remotely.


The worm connects to the following addresses:

  • sub7.ahdjejgf.com (UDP:1221)

It can execute the following operations:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via shared folders and P2P networks
  • spread via MSN network
  • perform port scanning

The worm collects the following information:

  • computer name
  • user name
  • network adapter information
  • operating system version
  • Mozilla Firefox account information
  • Windows Protected Storage passwords and credentials

The worm can send the information to a remote machine.


The worm may create and run a new thread with its own program code within any running process.

Please enable Javascript to ensure correct displaying of this content and refresh this page.