W32/Duni.C

description-logoAnalysis

  • Virus is 32bit, with a size of 169,984 bytes and is UPX compressed
  • If virus is run, it may display a fake error message with this content –

    (x) Division by zero.

    [OK]

  • Virus writes itself to the local drive into the Windows folder as different file names –

    Cristo_Nos_Enseña.Doc.pif
    EnLosAndes.pif
    Facturas556.XLS.pif
    List.txt.by.Microsoft.com
    Listado.txt.by.Microsoft.com
    PostalDeAmistad.pif
    ReparacionDeMessenger.DOC.pif
    TestDeAmoryAmistad.DOC.pif
    YaNoPuedoSerYoMismo.DOC.pif

  • Virus may spread via email or within the Kazaa network – virus determines the location of Kazaa shared files, and creates numerous files in that folder with suggestive names such that users searching for similar names might locate them, and ultimately download and run them –

    “ .exe” <= nine spaces followed by .exe extension
    AVP40Crack.exe
    AVP-SpanishPatch.exe
    CopyPSXgamesV12.exe
    CounterStrikeMoreServers.exe
    GameCube-FreeEmulator.exe
    GamesPSX2Emulator.exe
    HackTools.exe
    Jedi2-FullCrack.exe
    kmd200_en.exe .exe <= nine spaces again
    MessengerSkins29.exe
    MP3EncoderDecoder58.exe
    PandaAllCracks.exe
    PSX2-Emulator.exe
    PSXEmulator_Full.exe
    ResidentEvil-Crack.exe
    Sexo-Asiatico-FullVideo.exe
    SexoenlaCalle-Video.exe
    W98ToXpActualization.exe
    WindowsXP-Serials.exe
    X-Box_Emulator.exe

  • Virus drops a VBScript file (identified as VBS/Duni.C) in the root of drive C named “BanderaNegra.vbs” with a size of 1249 bytes – its purpose is to initiate Outlook and send a copy of the virus to all contacts, but due to a bug in the code, the attachment is never sent –
    Subject: "Es posible que nos roben la identidad."
    Body:
    "lee el documento y veras que puede ser verdad, luego enviaselo a tus amigos para que no les suceda eso."
    Intended attachment: "YaNoPuedoSerYoMismo.DOC.pif"

  • Virus may delete the startup configuration file AUTOEXEC.BAT and also delete any .EXE file which may reside in the shared folder for Kazaa

  • Virus creates and modifies several keys in the registry –
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\
    "Folder" = 56
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "BNexe" = (WINDOWS)\YaNoPuedoSerYoMismo.DOC.pif
    "KAZAAkCuF" = 9
    "PAV.EXE" = 56
    "Zonavirus" = 0

Telemetry logoTelemetry