W32.Peerload.A


Aliases: P2load.A [Panda Software], WORM_P2LOAD.A [Trend Micro]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 18 Sep 2005
Damage: Medium

Characteristics: W32.Peerload.A was discovered on September 18, 2005. Also known as P2load.A, WORM_P2LOAD.A, this worm spreads through file-sharing networks like Kazaa, eMule and iMesh. This worm mostly affects the Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about W32.Peerload.A

Once the W32.Peerload.A program is executed, the worm produces a copy of itself as %System%\winlogin.exe. It also copies itself using the same filename of the original worm file to different file-sharing program folders by querying several system registry values. Afterwards, the worm adds "Winlogin" = "%System%\winlogin.exe" to a specified system registry subkey. If the worm runs, it creates a harmless URL file and displays one message box. Then, it tries to open one of the following URLs: [http://]www.p2p-load.de/[REMOVED]/?l=e or [http://]www.p2p-load.de/[REMOVED]/?l=d. the worm adds three more values to modify the Internet Explorer search bar, home page and search page. Again, the worm creates a harmless URL file and attempts to downloads the following files to replace the hosts file with them: [http://]www.dutty.de/[REMOVED]/stat.dat, [http://]www.meet2k.com/[REMOVED]/stat.dat and [http://]www.p2p-load.de/[REMOVED]/stat.dat.

The W32.Peerload.A software connects to a pre-specified remote server. It retrieves a list of websites that contain malicious files. The application will download files and install them in the system. Security software companies report these may be Remote Access Tools (RATs), adware programs or spyware software. The W32.Peerload.A application has also been reported to block user access to security software websites. This may be done to prevent anti-malware programs from updating.