Results 1 to 3 of 3

Thread: W32/Duni-A

  1. #1

    Exclamation W32/Duni-A

    Latest Hotmail worm real anoying!

    W32/Duni-A is an email worm which uses a wide range of subject lines and
    attachment names. The subject line is chosen from:

    Esta si que es zorra!!!
    Fotos de asesinatos, Jack el Destripador, Charles Manson, y muchos mas para decorar tu escritorio.
    Yeahhh Mutha Facka... NY Brookling in your NET.
    Genera passwords para poder entrar a las webs mas putonas de la red, y gratis, incluso podras bajar peliculas porno.
    Para los verdaderos amigos...
    Test de amor.
    30 pregutas para saber si tu pareja te enga
    !La imagen de cristo en un bosque.
    mira como seria un mundial en la antigua mesopotamia.
    Fotos de Cristo para decorar tu escritorio.
    Te han enviado una postal.
    Te acuerdas de mi?
    Asi se hace el amor...
    Asi me gusta a mi...
    Esto doleria mucho, mucho :-).
    Si esto no me lo regresas me sentire mal.
    La vida despues de la muerte.
    Me cambie de correo, aver si ahora me escribes...
    Leelo y reenvialo a quienes mas amas.
    Cancion de amor, para ti.
    Paulina Rubio y su zorrita cosmica...
    No todo lo que uno lea sobre el servicio de webmail de Microsoft es cierto.
    !Ver el listado de falsas alarmas.
    !ja, la han cagado con este video.
    Bin Laden DT de la seleccion de arabia...
    Bin Laden nuevo goliador de Arabia saudita , jaaaaaaa.
    Bin Laden presidente de la FIFA.
    Dime que te parece esta animacion.
    Una broma para las secretarias, ja ja.
    Test para secretarias, para saber que tan tontas son.
    41 preguntas para saber si alguien es sicopata.
    mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.
    listado de ultimas mentiras que circulan por los mails.
    Last hoaxes list.
    como te gustarian este par de tetitas.
    Leelo y reenvialo a quienes mas amas.
    mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.
    listado de ultimas mentiras que circulan por los mails.
    Bin Laden killing muthaFaka bill gates.

    and the attachment name from:

    zorrita.cpl
    jack.cpl
    sickofitall.cpl
    analpasswords.cpl
    poema_angelical.cpl
    testdeamor.cpl
    Adulterio_en_tus_narices.cpl
    Cristo.cpl
    mundial.cpl
    cristo2002.cpl
    postal_de_mi_alma.cpl
    estesoyyo.cpl
    milposiciones.cpl
    como_como.cpl
    por_ahi_noooooo.cpl
    lomasimportante.cpl
    vidaymuerte.cpl
    siemprevivir@setnet.cpl
    milvidas.cpl
    comoolvidarte.cpl
    paulinasex.cpl
    mentiras_en_hotmail.cpl
    listado_de_hoaxes.cpl
    zapato_en_el_culo.cpl
    binladenDT.cpl
    gooooooool.cpl
    Fifaladen.cpl
    secretarias.cpl
    test_secretontas.cpl
    sere_yo_uno_de_esos.cpl
    scarycrai.cpl
    mentiras_mails.cpl
    mcaffehoaxlist.cpl
    tetris2002.cpl
    zandias_meloones.cpl
    quien_como_tu.cpl
    portymore.cpl
    listado_de_porquerias.cpl
    billgatesscream.cpl

    The worm finds addresses to send itself to in the user's MSN Messenger contact list using the server mail.hotmail.com.

    W32/Duni-A also attempts to use the KaZaA peer-to-peer network to spread. The worm copies itself to the user's KaZaA download area using one of the following filenames:

    DivResidentEvil.ZIP.cpl
    SpidermanDesktop.cpl
    Porno_sTar.cpl
    AXEbahia.cpl
    NuevosVideosProfesorRossa.cpl
    NewVideo_Blink182.cpl
    LagWagon&Blink182.cpl
    Hacking.cpl
    AllMcAfeeCrack.Cpl
    Britney_spearsVSDavidBeckham_AnalPasions.cpl
    JamieThomasVSrodneyMullen.cpl
    MariguanaDesktop.cpl
    AgeOfEmpires2_Crack.cpl
    Mames.Zip.cpl
    terminator2.cpl
    Binladen****inBillGates.cpl
    AnalPasswords.cpl
    ElvisDesktop.cpl
    AVP_Spanish.cpl
    ZoneAlarmCrack.cpl
    HardXCore.cpl
    PhotoShop6.xCrack.cpl
    BioHazard.cpl
    VisualBasic.Net.cpl
    Zidane.Taliban.cpl
    VideoPortoSeguro.cpl
    sexo_en_la_calle.cpl
    sexo_anal_full_video.cpl
    sexo_oriental_full_video.cpl
    muertes_videos.cpl

    When the worm is run it will create copies of itself in the root folder and the Windows folder. These copies will have a name consisting of a random number and the extension .CPL. The worm then adds the following registry entry so that the copy in the Windows folder is run each time Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    W32/Duni-A attempts to interfere with anti-virus software by deleting the files C:\archiv~1\perav\pav.dll, C:\archiv~1\perav\per.dll, C:\program files\perav\pav.dll and C:\program files\perav\per.dll and the files PAV.EXE, \bases\avp.set, \system\vshield.vxd, \system32\vshield.vxd and \vshield.vxd from the Windows folder.

    It also modifies the following registry entries:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Pav.exe
    HKLM\Software\KasperskyLab\SharedFiles\Folder.
    [glowpurple]LilDraganon the power of the @[/glowpurple]
    [glowpurple]I am the one who trains like a maniac to have the power to force his opponent body into the shape of a pretzel and gently pin him down to the mat so his mommy can come and cuttle him![/glowpurple]

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    255
    hey i tracked down that wrom, and its been written from another one notron picked it up as [B]W32.Kitro_C, and i seen more than 200 users who downloaded spiderman desktop.Cpl and biohazard in kazza, i tried to send a message to one, but i get incompatible version. AV should be detecting em though, unless they are lacking in that department.

    it must use code from the older worm, if this was written from scratch, we could have had a major outbreak, wiht it not bneing picked up wiht virus scanners

    thanks for the info, i went hunting after this one!

    Preep
    http://www.attrition.org/gallery/computing/forum/tn/youarenot.gif.html

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    253

    Smile

    Here is a link to the Norton write up on W32/Duni :

    Write Up

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •