Content
W32/Cazaar!p2p
- Type
- Virus
- SubType
- Peer To Peer
- Discovery Date
- 11/29/2005
- Length
- Minimum DAT
- 4639 (11/29/2005)
- Updated DAT
- 4723 (03/21/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 11/29/2005
- Description Modified
- 03/21/2006 9:57 PM (PT)
Tab Navigation
Characteristics
W32/Cazaar!p2p is a worm that propagates via the Kazaa peer-to-peer file sharing application. To entice users into downloading and executing it, the worm uses names of popular games and applications for its dropped copy.
Upon execution, it creates a copy of itself into the windows directory using a random filename:
%Windir%\(Random Filename)
Adds the following values to the registry to auto start itself when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Default" = "%Windir%\(Random Filename)"
Creates multiple copies of itself using names of popular games and applications in the root of C:\
Adobe Photoshop CS2 Keygen+Crack[New].exe
BF1942 Battlefield 1942 [[Crack/Patch]].exe
Call Of Duty 2 [Official Release] (Crack+Patch).exe
Counter-Strike Source Patch+Serial [ACTIVE].exe
DeadAIM.exe
GRAND THEFT AUTO San Andreas [[Patch]]+[[Serial]].exe
Macromedia Dreamweaver MX [(Latest!)] [[Keygen+Patch]] NO SERIAL NEEDED.exe
Microsoft Office XP [(Pro Version)] KEYGEN + ACTIVATION CRACK.exe
Patch - LimeWire to LimeWire Pro [[LATEST]].exe
Symantec Partition Magic [[(Patched+Cracked)]].exe
Windows Vista Professional Beta1 Keygen+Crack[New].exe
World of Warcraft [[Keygen+Crack]] NEW.exe
[The Sims 2|The Sims Online] [[(Active~Keygen)]].exe
Modifes the autoexec.bat file to delete the original executed copy of the worm.
Note:
This technique will work only on Win9x systems.
Symptoms
Overwrites the HOSTS file to prevent access to the following websites, most of which are antivirus and security related.
The following is a list of blocked websites:
2-spyware.com
agnitum.com
akamai.net
aladdin.com
altn.com
aluriasoftware.com
amavis.org
anti-trojan.net
antivirus-online.det
antivirus.about.com
antivirus.com
armor2net.com
auditmypc.comt
aumha.org
authentium.com
av-test.org
av.ibm.com
avast.com
avien.org
avp.ch
avp.com
bitdefender.com
bleepingcomputer.com
bulletproofsoft.com
ca.com
castlecops.com
ccleaner.com
centralcommand.com
cern.ch
cert.org
cexx.org
checkpoint.com
ciac.org
clamav.net
clamwin.com
claymania.com
computercops.biz
computerhope.com
csrc.nist.gov
datafellows.fi
deerfield.com
digitalriver.com
download.com
drsolomon.com
eicar.org
element5.com
eradicatespyware.net
etrust.com
ewido.net
f-prot.com
f-secure.com
f-secure.se
filseclab.com
fireav.com
firewall-net.com
firewallguide.com
firewallleaktester.com
forospyware.com
fortinet.com
free-av.com
freebyte.com
geekstogo.com
gladiator-antivirus.com
grc.com
grisoft.com
hackerwatch.org
hbedv.com
heise.de
helponthe.net
helpwithpcs.com
hijackthis.de
homenethelp.com
iopus.com
javacoolsoftware.com
jetico.com
joltti.org
kaspersky-labs.com
kaspersky.com
kasperskylab.ru
kerio.com
kolla.de
lavasoft.com
lavasoft.de
lavasoftusa.com
leprechaun.com.au
lurkhere.com
majorgeeks.com
mcafee.com
merijn.org
microsoft.com
mvps.org
mwti.net
my-etrust.com
nai.com
net-integration.net
networkassociates.com
networkworld.com
nha.com
nod32.com
nod32.com.au
norman.com
norman.no
openantivirus.org
pacs-portal.co.uk
pandasecurity.com
pandasoftware.com
pc-st.com
pchealthplan.com
pcmag.com
pcpitstop.com
pctools.com
pcworld.com
personalfirewallday.org
quickheal.com
r-firewall.com
ravantivirus.com
registryfix.com
safer-networking.org
sans.org
sarc.com
scancomplete.com
secunia.com
security-forums.com
secuser.com
simtel.com
snapfiles.com
softpedia.com
softwaresecuritysolutions.com
sonicwall.com
sophos.com
spybot.info
spywareguide.com
spywareinfo.com
spywarewarrior.com
srnmicro.com
stevengould.org
sygate.com
Sygatetetech.com
symantec.com
sysinfo.org
teamanti-virus.org
tech-faq.com
techsupportalert.com
techsupportforum.com
testmyfirewall.com
thespykiller.co.uk
thewhities.com
tinysoftware.com
tomcoyote.org
trendmicro-europe.com
trendmicro.com
tucows.com
us-cert.gov
us-cert.org
vcatch.com
virus-radar.com
virus.org
virusalert.nl
virusbtn.com
virusbuster.hu
viruslibrary.com
viruslist.com
virusthreatcenter.com
virustotal.com
vsantivirus.com
webroot.com
wilders.org
windowsecurity.com
windowsupdate.com
winplanet.com
wintotal.de
zonealarm.com
zonelabs.com
The overwritten HOSTS file is detected as W32/Cazaar!hosts.
Attempts to end processes having the following window titles.
avast! On-Access Scanner
Ad-aware 6.0 Personal
CCleaner
Control Panel
HijackThis - v1.99.1
Hosts - notepad
McAfee VirusScan Configuration
Norton AntiVirus
Pocket Killbox
Registry Editor
Setup - Hijackthis
Spybot - Search & Destroy
System Configuration Editor
System Configuration Utility
System Restore
Windows CleanUp!
avast! antivirus software - Microsoft Internet Explorer
ewido security suite - Protection against Spyware, Trojans, Dialers, Keyloggers, and other growing threats - Microsoft Internet Explorer
free online virus scanner - Microsoft Internet Explorer
AVG Anti Virus: AVG Free Edition - Microsoft Internet Explorer
Ad-Aware SE Personal - Software - Lavasoft - Microsoft Internet Explorer
BitDefender Free Online Virus Scan - Microsoft Internet Explorer
Computer Associates eTrust Antivirus Web Scanner - Microsoft Internet Explorer
Downloads - The home of Spybot S&D! - Microsoft Internet Explorer
Mcafee - Computer Virus Software and Internet Security For Your PC - Microsoft Internet Explorer
Merijn.org - Microsoft Internet Explorer
Microsoft Corporation - Microsoft Internet Explorer
Panda Activescan, the online scan- Microsoft Internet Explorer
RAV AntiVirus - Scan Online - Microsoft Internet Explorer
Sophos - Protect against viruses, spyware, spam and policy abuse - Microsoft Internet Explorer
Symantec AntiVirus Client - InstallShield Wizard
Symantec Security Check - Microsoft Internet Explorer
Symantec Worldwide Home Page - Microsoft Internet Explorer
Trend Micro - Free online virus Scan - Microsoft Internet Explorer
Method of Infection
W32/Cazaar!p2p modifies of the following registry entries to allow it to spread via Kazaa:
HKEY_CURRENT_USER\Software\Kazaa\Kazaa\LocalContent
'Dir0" = "012345:c:"
"DisableSharing" = "0"
"DisableListFiles" = "0"
By changing the above listed entries, the default shared directory of Kazaa is modified to point to the location the worm has dropped copies of itself.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- P2P-Worm.Win32.KeyGener (Kaspersky)
- W32.SillyP2P (Symantec)
- W32/KeyGener!p2p (Fortinet)
- Win32.Worm.Patcher.A (BitDefender)
- Win32/Kazaar.A (ESET)
Characteristics
Characteristics -
W32/Cazaar!p2p is a worm that propagates via the Kazaa peer-to-peer file sharing application. To entice users into downloading and executing it, the worm uses names of popular games and applications for its dropped copy.
Upon execution, it creates a copy of itself into the windows directory using a random filename:
%Windir%\(Random Filename)
Adds the following values to the registry to auto start itself when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Default" = "%Windir%\(Random Filename)"
Creates multiple copies of itself using names of popular games and applications in the root of C:\
Adobe Photoshop CS2 Keygen+Crack[New].exe
BF1942 Battlefield 1942 [[Crack/Patch]].exe
Call Of Duty 2 [Official Release] (Crack+Patch).exe
Counter-Strike Source Patch+Serial [ACTIVE].exe
DeadAIM.exe
GRAND THEFT AUTO San Andreas [[Patch]]+[[Serial]].exe
Macromedia Dreamweaver MX [(Latest!)] [[Keygen+Patch]] NO SERIAL NEEDED.exe
Microsoft Office XP [(Pro Version)] KEYGEN + ACTIVATION CRACK.exe
Patch - LimeWire to LimeWire Pro [[LATEST]].exe
Symantec Partition Magic [[(Patched+Cracked)]].exe
Windows Vista Professional Beta1 Keygen+Crack[New].exe
World of Warcraft [[Keygen+Crack]] NEW.exe
[The Sims 2|The Sims Online] [[(Active~Keygen)]].exe
Modifes the autoexec.bat file to delete the original executed copy of the worm.
Note:
This technique will work only on Win9x systems.
Symptoms
Symptoms -
Overwrites the HOSTS file to prevent access to the following websites, most of which are antivirus and security related.
The following is a list of blocked websites:
2-spyware.com
agnitum.com
akamai.net
aladdin.com
altn.com
aluriasoftware.com
amavis.org
anti-trojan.net
antivirus-online.det
antivirus.about.com
antivirus.com
armor2net.com
auditmypc.comt
aumha.org
authentium.com
av-test.org
av.ibm.com
avast.com
avien.org
avp.ch
avp.com
bitdefender.com
bleepingcomputer.com
bulletproofsoft.com
ca.com
castlecops.com
ccleaner.com
centralcommand.com
cern.ch
cert.org
cexx.org
checkpoint.com
ciac.org
clamav.net
clamwin.com
claymania.com
computercops.biz
computerhope.com
csrc.nist.gov
datafellows.fi
deerfield.com
digitalriver.com
download.com
drsolomon.com
eicar.org
element5.com
eradicatespyware.net
etrust.com
ewido.net
f-prot.com
f-secure.com
f-secure.se
filseclab.com
fireav.com
firewall-net.com
firewallguide.com
firewallleaktester.com
forospyware.com
fortinet.com
free-av.com
freebyte.com
geekstogo.com
gladiator-antivirus.com
grc.com
grisoft.com
hackerwatch.org
hbedv.com
heise.de
helponthe.net
helpwithpcs.com
hijackthis.de
homenethelp.com
iopus.com
javacoolsoftware.com
jetico.com
joltti.org
kaspersky-labs.com
kaspersky.com
kasperskylab.ru
kerio.com
kolla.de
lavasoft.com
lavasoft.de
lavasoftusa.com
leprechaun.com.au
lurkhere.com
majorgeeks.com
mcafee.com
merijn.org
microsoft.com
mvps.org
mwti.net
my-etrust.com
nai.com
net-integration.net
networkassociates.com
networkworld.com
nha.com
nod32.com
nod32.com.au
norman.com
norman.no
openantivirus.org
pacs-portal.co.uk
pandasecurity.com
pandasoftware.com
pc-st.com
pchealthplan.com
pcmag.com
pcpitstop.com
pctools.com
pcworld.com
personalfirewallday.org
quickheal.com
r-firewall.com
ravantivirus.com
registryfix.com
safer-networking.org
sans.org
sarc.com
scancomplete.com
secunia.com
security-forums.com
secuser.com
simtel.com
snapfiles.com
softpedia.com
softwaresecuritysolutions.com
sonicwall.com
sophos.com
spybot.info
spywareguide.com
spywareinfo.com
spywarewarrior.com
srnmicro.com
stevengould.org
sygate.com
Sygatetetech.com
symantec.com
sysinfo.org
teamanti-virus.org
tech-faq.com
techsupportalert.com
techsupportforum.com
testmyfirewall.com
thespykiller.co.uk
thewhities.com
tinysoftware.com
tomcoyote.org
trendmicro-europe.com
trendmicro.com
tucows.com
us-cert.gov
us-cert.org
vcatch.com
virus-radar.com
virus.org
virusalert.nl
virusbtn.com
virusbuster.hu
viruslibrary.com
viruslist.com
virusthreatcenter.com
virustotal.com
vsantivirus.com
webroot.com
wilders.org
windowsecurity.com
windowsupdate.com
winplanet.com
wintotal.de
zonealarm.com
zonelabs.com
The overwritten HOSTS file is detected as W32/Cazaar!hosts.
Attempts to end processes having the following window titles.
avast! On-Access Scanner
Ad-aware 6.0 Personal
CCleaner
Control Panel
HijackThis - v1.99.1
Hosts - notepad
McAfee VirusScan Configuration
Norton AntiVirus
Pocket Killbox
Registry Editor
Setup - Hijackthis
Spybot - Search & Destroy
System Configuration Editor
System Configuration Utility
System Restore
Windows CleanUp!
avast! antivirus software - Microsoft Internet Explorer
ewido security suite - Protection against Spyware, Trojans, Dialers, Keyloggers, and other growing threats - Microsoft Internet Explorer
free online virus scanner - Microsoft Internet Explorer
AVG Anti Virus: AVG Free Edition - Microsoft Internet Explorer
Ad-Aware SE Personal - Software - Lavasoft - Microsoft Internet Explorer
BitDefender Free Online Virus Scan - Microsoft Internet Explorer
Computer Associates eTrust Antivirus Web Scanner - Microsoft Internet Explorer
Downloads - The home of Spybot S&D! - Microsoft Internet Explorer
Mcafee - Computer Virus Software and Internet Security For Your PC - Microsoft Internet Explorer
Merijn.org - Microsoft Internet Explorer
Microsoft Corporation - Microsoft Internet Explorer
Panda Activescan, the online scan- Microsoft Internet Explorer
RAV AntiVirus - Scan Online - Microsoft Internet Explorer
Sophos - Protect against viruses, spyware, spam and policy abuse - Microsoft Internet Explorer
Symantec AntiVirus Client - InstallShield Wizard
Symantec Security Check - Microsoft Internet Explorer
Symantec Worldwide Home Page - Microsoft Internet Explorer
Trend Micro - Free online virus Scan - Microsoft Internet Explorer
Method of Infection
Method of Infection -
W32/Cazaar!p2p modifies of the following registry entries to allow it to spread via Kazaa:
HKEY_CURRENT_USER\Software\Kazaa\Kazaa\LocalContent
'Dir0" = "012345:c:"
"DisableSharing" = "0"
"DisableListFiles" = "0"
By changing the above listed entries, the default shared directory of Kazaa is modified to point to the location the worm has dropped copies of itself.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
