Win32/Kapucen [Threat Name] go to Threat
Win32/Kapucen.E [Threat Variant Name]
| Category | worm |
| Size | 106496 B |
| Aliases | P2P-Worm.Win32.Kapucen.ac (Kaspersky) |
| WORM_KAPUCEN.AF (TrendMicro) | |
| Worm:Win32/Puce.gen!B (Microsoft) |
Short description
Win32/Kapucen.E is a worm that spreads by inserting a copy of itself into RAR, ZIP archives.
Installation
When executed, the worm copies itself into the following location:
- %temp%\svchost.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "WindowsServicesStartup" = "%temp%\svchost.exe"
Other information
The worm searches local and network drives for files with one of the following extensions:
- .rar
- .zip
Only following folders are searched:
- C:\Archivos de programa\emule\incoming
- C:\Download
- C:\Incoming
- C:\My Downloads
- C:\My Shared Folder
- C:\Program files\appleJuice\incoming
- C:\Program files\BearShare\Shared
- C:\Program files\Edonkey2000\Incoming
- C:\Program files\emule\incoming
- C:\Program files\Gnucleus\Downloads
- C:\Program files\Grokster\My Grokster
- C:\Program files\ICQ\shared files
- C:\Program Files\Kazaa Lite K++\My Shared Folder
- C:\Program files\KaZaA Lite\My Shared Folder
- C:\Program files\KaZaA\My Shared Folder
- C:\Program files\KMD\My Shared Folder
- C:\Program files\LimeWire\Shared
- C:\Program files\Morpheus\My Shared Folder
- C:\Program files\Overnet\incoming
- C:\Program files\Rapigator\Share
- C:\Program files\Shareaza\Downloads
- C:\Program files\Swaptor\Download
- C:\Program files\Tesla\Files
- C:\Program files\WinMX\My Shared Folder
- C:\Program files\XoloX\Downloads
- C:\Téléchargement
- D:\Archivos de programa\emule\incoming
- D:\Download
- D:\Incoming
- D:\My Downloads
- D:\My Shared Folder
- D:\Program files\appleJuice\incoming
- D:\Program files\BearShare\Shared
- D:\Program files\Edonkey2000\Incoming
- D:\Program files\emule\incoming
- D:\Program files\Gnucleus\Downloads
- D:\Program files\Grokster\My Grokster
- D:\Program files\ICQ\shared files
- D:\Program Files\Kazaa Lite K++\My Shared Folder
- D:\Program files\KaZaA Lite\My Shared Folder
- D:\Program files\KaZaA\My Shared Folder
- D:\Program files\KMD\My Shared Folder
- D:\Program files\LimeWire\Shared
- D:\Program files\Morpheus\My Shared Folder
- D:\Program files\Overnet\incoming
- D:\Program files\Rapigator\Share
- D:\Program files\Shareaza\Downloads
- D:\Program files\Swaptor\Download
- D:\Program files\Tesla\Files
- D:\Program files\WinMX\My Shared Folder
- D:\Program files\XoloX\Downloads
- D:\Téléchargement
- E:\Archivos de programa\emule\incoming
- E:\Download
- E:\Incoming
- E:\My Downloads
- E:\My Shared Folder
- E:\Program files\appleJuice\incoming
- E:\Program files\BearShare\Shared
- E:\Program files\Edonkey2000\Incoming
- E:\Program files\emule\incoming
- E:\Program files\Gnucleus\Downloads
- E:\Program files\Grokster\My Grokster
- E:\Program files\ICQ\shared files
- E:\Program Files\Kazaa Lite K++\My Shared Folder
- E:\Program files\KaZaA Lite\My Shared Folder
- E:\Program files\KaZaA\My Shared Folder
- E:\Program files\KMD\My Shared Folder
- E:\Program files\LimeWire\Shared
- E:\Program files\Morpheus\My Shared Folder
- E:\Program files\Overnet\incoming
- E:\Program files\Rapigator\Share
- E:\Program files\Shareaza\Downloads
- E:\Program files\Swaptor\Download
- E:\Program files\Tesla\Files
- E:\Program files\WinMX\My Shared Folder
- E:\Program files\XoloX\Downloads
- E:\Téléchargement
- F:\Incoming
- G:\Incoming
- %drive%:\
- %networkfolder%
The worm inserts a copy of itself into RAR, ZIP archives.
The following filename is used:
- setup.exe
Other information
The worm may create the text file:
- Log.txt