Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Dursg.A

Aliases:P2P-Worm.Win32.Agent.aak (Kaspersky), W32.SillyP2P (Symantec), Trojan:Win32/Dursg.C (Microsoft) 
Type of infiltration:Worm  
Size:50176 B 
Affected platforms:Microsoft Windows 
Signature database version:5031 (20100415) 

Short description

Win32/Dursg.A is a worm that redirects results of online search engines to web sites that contain adware. The file is run-time compressed using UPX.

Installation

When executed, the worm copies itself into the following location:
  • %appdata%SystemProclsass.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorerRun]
    "RTHDBPL" = "%appdata%SystemProclsass.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "RTHDBPL" = "%appdata%SystemProclsass.exe"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "RTHDBPL" = "%appdata%SystemProclsass.exe"

Other information

Win32/Dursg.A is a worm that redirects results of online search engines to web sites that contain adware.

The worm changes information related to the following services:
  • google.com
  • yahoo.com
  • msn.com
  • bing.com
  • youtube.com
The following programs are affected:
  • Internet Explorer
  • Opera
  • Google Chrome
  • Mozilla Firefox
When the user enter certain text strings in the browser the worm displays advertising websites related to them.

The following keywords are monitored:
  • airlines
  • amazon
  • antivir
  • antivirus
  • baby
  • bank
  • airlines
  • amazon
  • antivir
  • antivirus
  • baby
  • bank
  • bany
  • baseball
  • books
  • cars
  • casino
  • cialis
  • cigarettes
  • comcast
  • craigslist
  • credit
  • dating
  • design
  • diet
  • doctor
  • dvd
  • ebay
  • estate
  • fashion
  • film
  • finance
  • flights
  • flower
  • footbal
  • football
  • gambling
  • game
  • gifts
  • golf
  • graphic
  • health
  • hotel
  • insurance
  • iphone
  • ipod
  • job
  • loan
  • loans
  • medical
  • military
  • mobile
  • money
  • mortgage
  • movie
  • music
  • myspace
  • pharma
  • pocker
  • poker
  • porn
  • school
  • sex
  • shop
  • software
  • sport
  • spybot
  • spyware
  • trading
  • tramadol
  • travel
  • twitter
  • verizon
  • video
  • virus
  • vocations
  • wallpaper
  • weather
  • yobt
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorerRun]
    "RTHDBPL" = "%malwarepath%"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "RTHDBPL" = "%malwarepath%"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "RTHDBPL" = "%malwarepath%"
The worm may create copies of itself in the folder:
  • C:program fileswinmxshared
  • C:program filesteslafiles
  • C:program fileslimewireshared
  • C:program filesmorpheusmy shared folder
  • C:program filesemuleincoming
  • C:program filesedonkey2000incoming
  • C:program fileswinmxshared
  • C:program filesteslafiles
  • C:program fileslimewireshared
  • C:program filesmorpheusmy shared folder
  • C:program filesemuleincoming
  • C:program filesedonkey2000incoming
  • C:program filesbearshareshared
  • C:program filesgrokstermy grokster
  • C:program filesicqshared folder
  • C:program fileskazaa lite k++my shared folder
  • C:program fileskazaa litemy shared folder
  • C:program fileskazaamy shared folder
Its filename may be one of the following:
  • [+ MrKey +] Windows XP PRO Corp SP3 valid-key
    generator.exe
  • [antihack tool] Trojan Killer v2.9.4173.exe
  • [Eni0j0 team] Vmvare keygen.exe
  • [Eni0j0 team] Windows 7 Ultimate keygen.exe
  • [fixed]RapidShare Killer AIO 2010.exe
  • [patched, serial not need] Nero 9.x keygen.exe
  • [patched, serial not needed] Absolute Video Converter
    6.2-7.exe
  • [+ MrKey +] Windows XP PRO Corp SP3 valid-key
    generator.exe
  • [antihack tool] Trojan Killer v2.9.4173.exe
  • [Eni0j0 team] Vmvare keygen.exe
  • [Eni0j0 team] Windows 7 Ultimate keygen.exe
  • [fixed]RapidShare Killer AIO 2010.exe
  • [patched, serial not need] Nero 9.x keygen.exe
  • [patched, serial not needed] Absolute Video Converter
    6.2-7.exe
  • [patched, serial not needed] PDF to Word Converter 3.4.exe
  • [patched, serial not needed] PDF Unlocker
    v2.0.5.exePDF-XChange Pro.exe
    Ad-aware 2010.exe
    Adobe Acrobat Reader keygen.exe
    Adobe Illustrator CS4 crack.exe
    Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
    Alcohol 120 v1.9.x.exe
    Anti-Porn v13.x.x.x.exe
    AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    AOL Instant Messenger (AIM) Hacker.exe
    AOL Password Cracker.exe
    Ashampoo Snap 3.xx [Skarleot Group].exe
    Avast 4.x Professional.exe
    Avast 5.x Professional.exe
    BitDefender AntiVirus 2010 Keygen.exe
    Blaze DVD Player Pro v6.52.exe
    Brutus FTP Cracker.exe
    CleanMyPC Registry Cleaner v6.02.exe
    Counter-Strike Serial key generator [Miona patch].exe
    Daemon Tools Pro 4.8.exe
    DCOM Exploit archive.exe
    DivX 5.x Pro KeyGen generator.exe
    Divx Pro 7.x version Keymaker.exe
    Download Accelerator Plus v9.2.exe
    Download Boost 2.0.exe
    DVD Tools Nero 10.x.x.x.exe
    FTP Cracker.exe
    G-Force Platinum v3.7.6.exe
    Google SketchUp 7.1 Pro.exe
    Grand Theft Auto IV [Offline Activation + mouse patch].exe
    Half-Life 2 Downloader.exe
    Hotmail Cracker [Brute method].exe
    Hotmail Hacker [Brute method].exe
    ICQ Hacker Trial version [brute].exe
    Image Size Reducer Pro v1.0.1.exe
    Internet Download Manager V5.exe
    IP Nuker.exe
    Kaspersky AntiVirus 2010 crack.exe
    Kaspersky Internet Security 2010 keygen.exe
    Keylogger unique builder.exe
    K-Lite Mega Codec v5.2 Portable.exe
    K-Lite Mega Codec v5.2.exe
    L0pht 4.0 Windows Password Cracker.exe
    LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
    Magic Video Converter 8.exe
    McAfee Total Protection 2010 [serial patch by AnalGin].exe
    Microsoft Visual Basic KeyGen.exe
    Microsoft Visual C++ KeyGen.exe
    Microsoft Visual Studio KeyGen.exe
    Microsoft.Windows 7 ULTIMATE FINAL activator+keygen
    x86.exe
    Motorola, nokia, ericsson mobil phone tools.exe
    Mp3 Splitter and Joiner Pro v3.48.exe
    MSN Password Cracker.exe
    Myspace theme collection.exe
    NetBIOS Cracker.exe
    NetBIOS Hacker.exe
    Norton Anti-Virus 2005 Enterprise Crack.exe
    Norton Anti-Virus 2010 Enterprise Crack.exe
    Norton Internet Security 2010 crack.exe
    Password Cracker.exe
    PDF password remover (works with all acrobat reader).exe
    Power ISO v4.4 + keygen milon.exe
    Rapidshare Auto Downloader 3.8.6.exe
    sdbot with NetBIOS Spread.exe
    Sophos antivirus updater bypass.exe
    Sub7 2.5.1 Private.exe
    Super Utilities Pro 2009 11.0.exe
    Total Commander7 license+keygen.exe
    Tuneup Ultilities 2010.exe
    Twitter FriendAdder 2.3.9.exe
    UT 2003 KeyGen.exe
    VmWare 7.x keygen.exe
    Website Hacker.exe
    Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
    Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    Windows Password Cracker + Elar3 key.exe
    Windows2008 keygen and activator.exe
    WinRAR v3.x keygen [by HiXem].exe
    Youtube Music Downloader 1.3.exe
    YouTubeGet 5.6.exe