P2load.A [Panda Software], WORM_P2LOAD.A [Trend Micro]
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
18 Sep 2005
W32.Peerload.A was discovered on September 18, 2005. Also known as P2load.A, WORM_P2LOAD.A, this worm spreads through file-sharing networks like Kazaa, eMule and iMesh. This worm mostly affects the Windows 2000, 95, 98, Me, NT, Server 2003 and XP.
W32.Peerload.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Peerload.A from your computer.
More details about W32.Peerload.A
Once the W32.Peerload.A program is executed, the worm produces a copy of itself as %System%\winlogin.exe. It also copies itself using the same filename of the original worm file to different file-sharing program folders by querying several system registry values. Afterwards, the worm adds "Winlogin" = "%System%\winlogin.exe" to a specified system registry subkey. If the worm runs, it creates a harmless URL file and displays one message box. Then, it tries to open one of the following URLs: [http://]www.p2p-load.de/[REMOVED]/?l=e or [http://]www.p2p-load.de/[REMOVED]/?l=d. the worm adds three more values to modify the Internet Explorer search bar, home page and search page. Again, the worm creates a harmless URL file and attempts to downloads the following files to replace the hosts file with them: [http://]www.dutty.de/[REMOVED]/stat.dat, [http://]www.meet2k.com/[REMOVED]/stat.dat and [http://]www.p2p-load.de/[REMOVED]/stat.dat.
The W32.Peerload.A software connects to a pre-specified remote server. It retrieves a list of websites that contain malicious files. The application will download files and install them in the system. Security software companies report these may be Remote Access Tools (RATs), adware programs or spyware software. The W32.Peerload.A application has also been reported to block user access to security software websites. This may be done to prevent anti-malware programs from updating.