Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Peerfrag.FM is a worm that spreads via P2P networks. The worm contains a backdoor. It can be controlled remotely.
Installation
When executed, the worm creates the following folder:
  • %systemdrive%RECYCLERS-1-5-21-%variable%
A string with variable content is used instead of %variable% .

The following files are dropped in the same folder:
  • wnzip32.exe (188416 B)
  • Desktop.ini
The worm creates and runs a new thread with its own program code within the following processes:
  • explorer.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
    CurrentVersionWinlogon]
    "Taskman" = "%systemdrive%S-1-5-21-%variable%wnzip32.exe"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindows NT
    CurrentVersionWinlogon]
    "Shell" = "explorer.exe,%systemdrive%S-1-5-21-%variable%
    wnzip32.exe"
Spreading
The worm creates the following folders:
  • %drive%system32
The following files are dropped in the same folder:
  • autorun.exe (188416 B)
  • Desktop.ini
The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Spreading via P2P networks
Win32/Peerfrag.FM is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:
  • Ares Galaxy
  • BearShare
  • DC++
  • eMule
  • eMule Plus
It tries to place a copy of itself into the folders.
Spreading via IM networks
The worm sends links to MSN Messenger users.

If the link is clicked a copy of the worm is downloaded.
Other information
The worm is sent data and commands from a remote computer or the Internet. It can be controlled remotely.

The worm connects to the following addresses:
  • sub7.ahdjejgf.com (UDP:1221)
It can execute the following operations:
  • perform DoS/DDoS attacks
  • download files from a remote computer and/or Internet
  • run executable files
  • spread via shared folders and P2P networks
  • spread via MSN network
  • perform port scanning
The worm collects the following information:
  • computer name
  • user name
  • network adapter information
  • operating system version
  • Mozilla Firefox account information
  • Windows Protected Storage passwords and credentials
The worm can send the information to a remote machine.

The worm may create and run a new thread with its own program code within any running process.