W32/Duni.C
Analysis
- Virus is 32bit, with a size of 169,984 bytes and
is UPX compressed
- If virus is run, it may display a fake error message
with this content –
(x) Division by zero.
[OK]
-
Virus writes itself to the local drive into the Windows folder as different file names –
Cristo_Nos_Enseña.Doc.pif
EnLosAndes.pif
Facturas556.XLS.pif
List.txt.by.Microsoft.com
Listado.txt.by.Microsoft.com
PostalDeAmistad.pif
ReparacionDeMessenger.DOC.pif
TestDeAmoryAmistad.DOC.pif
YaNoPuedoSerYoMismo.DOC.pif -
Virus may spread via email or within the Kazaa network – virus determines the location of Kazaa shared files, and creates numerous files in that folder with suggestive names such that users searching for similar names might locate them, and ultimately download and run them –
“ .exe” <= nine spaces followed by .exe extension
AVP40Crack.exe
AVP-SpanishPatch.exe
CopyPSXgamesV12.exe
CounterStrikeMoreServers.exe
GameCube-FreeEmulator.exe
GamesPSX2Emulator.exe
HackTools.exe
Jedi2-FullCrack.exe
kmd200_en.exe .exe <= nine spaces again
MessengerSkins29.exe
MP3EncoderDecoder58.exe
PandaAllCracks.exe
PSX2-Emulator.exe
PSXEmulator_Full.exe
ResidentEvil-Crack.exe
Sexo-Asiatico-FullVideo.exe
SexoenlaCalle-Video.exe
W98ToXpActualization.exe
WindowsXP-Serials.exe
X-Box_Emulator.exe -
Virus drops a VBScript file (identified as VBS/Duni.C) in the root of drive C named “BanderaNegra.vbs” with a size of 1249 bytes – its purpose is to initiate Outlook and send a copy of the virus to all contacts, but due to a bug in the code, the attachment is never sent –
Subject: "Es posible que nos roben la identidad."
Body:
"lee el documento y veras que puede ser verdad, luego enviaselo a tus amigos para que no les suceda eso."
Intended attachment: "YaNoPuedoSerYoMismo.DOC.pif"
-
Virus may delete the startup configuration file AUTOEXEC.BAT and also delete any .EXE file which may reside in the shared folder for Kazaa
- Virus creates and modifies several keys in the
registry –
HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\
"Folder" = 56
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"BNexe" = (WINDOWS)\YaNoPuedoSerYoMismo.DOC.pif
"KAZAAkCuF" = 9
"PAV.EXE" = 56
"Zonavirus" = 0