Home / malware Worm.P2P.Dilly.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Worm.P2P.Dilly.A.
Explanation :
The worm is written in Delphi and has an original file size of 790,528 bytes. It spreads thorough the DC++ peer-to-peer network by copying itself to the DC++ shared folders using randomly generated file names which resemble pornographic movie titles and a double extension which ends in .SCR.
The worm locates the DC++ client folder using the registry path HKEY_LOCAL_MACHINESOFTWAREMagnetHandlersDC++, which has a value called ShellExecute containing the path to DCPlusPlus.exe. It then opens the program's configuration file, DcPlusPlus.xml, which it expects to find in the Settings subfolder. From the coniguration file the worm retrieves the list of shared folders.
In the shared folders it has found, the worm stores copies of itself to which it appends random numbers of null bytes in order to better resemble genuine video files. It uses words from the following list to generate random names:
(full), hard, porn, ass, dildo, incest, pedo, fucked, piss, lesbi, girls, angels, r@ygold, preteen, lolita, sex, xxx, rape, bdsm, drunk, 11yo, 10yo. It then appends a fake .WMV, .AVI, .MPG, .MP4 or .MPEG extension and after it the real .SCR extension.
It also generates a "removal" script for all the copies of itself that it creates, which is an unusual behavior for a worm. The script is a batch file with the name generated using the following pattern: [root-folder]:\_undo_[date]_[time].bat. The script contains a delete command for each copy, such as:
del "c:sharedRAPE sex Girls R@YGOLD Xxx angels.MP4.scr"
The original copy of the worm deletes itself using a batch script.Last update 21 November 2011
