Worm:Win32/Puce.W

Worm:Win32/Puce.W is a worm that copies itself to shared folders used by peer-to-peer (P2P) file sharing applications. P2P Applications, when run, connect to P2P file sharing networks, thus sharing the worm to unsuspecting Internet users.

Worm:Win32/Puce.W checks for the presence of a mutex named "TINYpUce", created by the worm to ensure that only one instance of itself is running at any time. Next, the worm drops a copy of itself into the %temp% folder as 'svchost.exe', and registers itself to run at each Windows start.

 

Adds value: WindowsServicesStartup

With data: %temp%\svchost.exe 1

To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Worm:Win32/Puce.W plants a copy of itself into archive files with file extensions .RAR and .ZIP stored in any of the following locations:

 

D:\Program files\emule\incoming
C:\Program files\emule\incoming
E:\Program files\emule\incoming
C:\Download
D:\Download
E:\Download
C:\Incoming
D:\Incoming
E:\Incoming
F:\Incoming
G:\Incoming
C:\Archivos de programa\emule\incoming
D:\Archivos de programa\emule\incoming
E:\Archivos de programa\emule\incoming
C:\Program Files\Kazaa Lite K++\My Shared Folder
D:\Program Files\Kazaa Lite K++\My Shared Folder
E:\Program Files\Kazaa Lite K++\My Shared Folder
C:\Program files\KMD\My Shared Folder
D:\Program files\KMD\My Shared Folder
E:\Program files\KMD\My Shared Folder
C:\Program files\KaZaA Lite\My Shared Folder
D:\Program files\KaZaA Lite\My Shared Folder
E:\Program files\KaZaA Lite\My Shared Folder
C:\Program files\Morpheus\My Shared Folder
D:\Program files\Morpheus\My Shared Folder
E:\Program files\Morpheus\My Shared Folder
C:\Program files\BearShare\Shared
D:\Program files\BearShare\Shared
E:\Program files\BearShare\Shared
C:\Program files\Edonkey2000\Incoming
D:\Program files\Edonkey2000\Incoming
E:\Program files\Edonkey2000\Incoming
C:\My Downloads
D:\My Downloads
E:\My Downloads
C:\My Shared Folder
D:\My Shared Folder
E:\My Shared Folder
C:\Program files\appleJuice\incoming
D:\Program files\appleJuice\incoming
E:\Program files\appleJuice\incoming
C:\Program files\Gnucleus\Downloads
D:\Program files\Gnucleus\Downloads
E:\Program files\Gnucleus\Downloads
C:\Program files\Grokster\My Grokster
D:\Program files\Grokster\My Grokster
E:\Program files\Grokster\My Grokster
C:\Program files\ICQ\shared files
D:\Program files\ICQ\shared files
E:\Program files\ICQ\shared files
C:\Program files\KaZaA\My Shared Folder
D:\Program files\KaZaA\My Shared Folder
E:\Program files\KaZaA\My Shared Folder
C:\Program files\LimeWire\Shared
D:\Program files\LimeWire\Shared
E:\Program files\LimeWire\Shared
C:\Program files\Overnet\incoming
D:\Program files\Overnet\incoming
E:\Program files\Overnet\incoming
C:\Program files\Shareaza\Downloads
D:\Program files\Shareaza\Downloads
E:\Program files\Shareaza\Downloads
C:\Program files\Swaptor\Download
D:\Program files\Swaptor\Download
E:\Program files\Swaptor\Download
C:\Program files\WinMX\My Shared Folder
D:\Program files\WinMX\My Shared Folder
E:\Program files\WinMX\My Shared Folder
C:\Program files\Tesla\Files
D:\Program files\Tesla\Files
E:\Program files\Tesla\Files
C:\Program files\XoloX\Downloads
D:\Program files\XoloX\Downloads
E:\Program files\XoloX\Downloads
C:\Program files\Rapigator\Share
D:\Program files\Rapigator\Share
E:\Program files\Rapigator\Share

 

This worm will open the archive file, and insert a copy of itself using one of these file names:

 

Setup.exe
Install.exe
_Run_Me_First.exe

 

Next, the worm adds a zero byte sized file named '_trash.tmp' to the archive, as a marker for the worm to identify infected archives. The infected archive file is renamed to either of the following name formats:

 

<original file name> updated-fixed %MM-%YYYY.zip

<original file name> updated-fixed %MM-%YYYY.rar

 

Where %MM is the 2 digit representation of the current month, and %YY is the 4 digit representation of the current year.

Worm:Win32/Puce.W drops a text file named "Log.txt" into the current folder. The file is then opened to display its content: