Party Vibe

Register

Welcome To

Virus!

  • This topic is empty.
Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • i seem to have this virus on my computer, whcih must have been hidden in some file i d/l off of emule, i think its probably karma for not paying for music for a while.
    the virus is…

    win32/puce.D

    any idea how to get rid? as AVG doesnt seem to be playing the game at the moment.

    cheers.

    Hmm, the strange thing is that if I search for this virus in google (using both firefox & IE) I get an error message and it shuts down the browser.

    It’s a little bit worrying to be honest, but I rarely use P2P sharing which is what this virus mainly spreads through.

    BioTech wrote:
    Hmm, the strange thing is that if I search for this virus in google (using both firefox & IE) I get an error message and it shuts down the browser.

    It’s a little bit worrying to be honest, but I rarely use P2P sharing which is what this virus mainly spreads through.

    That is odd mate, I can search for info about it and read web pages with out any issues!

    it seems to search fine for me on google, and i use mozilla/firefox.
    the info i got is…

    Characteristics Type: Worm
    Category: Win32
    Also known as: W32.Ecup (Symantec), W32/Puce (McAfee), W32/Puce!ITW#1 (WildList), Win32.Puce.D, Win32/Puce.d!Trojan, W32/Puce-H (Sophos), P2P-Worm.Win32.Kapucen.b (Kaspersky)

    Description

    Win32/Puce.D is a worm that spreads through peer-to-peer (P2P) file sharing networks. The worm adds itself to .zip and .rar archives in directories mostly related to P2P file sharing applications. It has been distributed as a 106,496-byte Win32 executable.

    Method of Infection

    When executed, Puce.D creates “Log.txt” in its current directory and opens it.

    showimage.aspx?caid=57812&name=puced_log.gif

    The worm copies itself to %Temp%svchost.exe, executes this copy and exits. It also modifies the registry to ensure this copy executes upon each system start-up:

    HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsServicesStartup = “%Temp%svchost.exe 1”

    Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is “C:Documents and SettingsLocal SettingsTemp”, or “C:WINDOWSTEMP”.

    Puce.D also creates a mutex named “TINYpUcE” to ensure only one copy runs at a time.

    Method of Distribution Via File Sharing (ZIP and RAR Archives)

    Puce.D searches the following locations in drives C: to E: for .rar and .zip files:

    Program filesemuleincoming
    Download
    Téléchargement
    Archivos de programaemuleincoming
    Program FilesKazaa Lite K++My Shared Folder
    Program filesKMDMy Shared Folder
    Program filesKaZaA LiteMy Shared Folder
    Program filesMorpheusMy Shared Folder
    Program filesBearShareShared
    Program filesEdonkey2000Incoming
    My Downloads
    My Shared Folder
    Program filesappleJuiceincoming
    Program filesGnucleusDownloads
    Program filesGroksterMy Grokster
    Program filesICQshared files
    Program filesKaZaAMy Shared Folder
    Program filesLimeWireShared
    Program filesOvernetincoming
    Program filesShareazaDownloads
    Program filesSwaptorDownload
    Program filesWinMXMy Shared Folder
    Program filesTeslaFiles
    Program filesXoloXDownloads
    Program filesRapigatorShare

    It also checks this location in drives C: to G::

    Incoming

    Puce.D adds itself to .rar archives as “setup.exe“. The worm attempts to add itself to .zip archives as “Setup.exe“. If the .zip already contains a file of that name, the worm then attempts to add itself as “Install.exe“, and as a last resort as “_Run_Me_First.exe“. If a .zip contains all three filenames, the worm bypasses the file without adding itself. It also bypasses any .rar or .zip archive containing the file “_trash.tmp“.

    After adding itself to a .rar or .zip archive, the worm adds the empty file “_trash.tmp” to use as a marker. Puce.D may also decide to rename the archive as:

    <filename> updated-fixed <mm>-<yyyy>.<extension>

    where:

    <filename> is the original name of the archive
    <mm> is the current system month
    <yyyy> is the current system year
    <extension> is either an .rar or .zip file extension

    For example, for a file named “test.zip“, the new filename could be “test updated-fixed 08-2006.zip“.

    Note that because the worm adds itself to .rar files without checking whether the archive already contains a file of that name, the .rar file could contain two files with identical names. Therefore when extracting the archive, the affected system usually displays a message box warning the user that the file already exists, and asking whether they want to overwrite it. If the user selects “No“, the system does not overwrite the original file with the worm file. If the user selects “Yes“, the system extracts a copy of Puce.D and the file size will be 106,496 bytes (104K).

    After adding itself to all suitable archives, Puce.D ceases activity for approximately 15 minutes, then repeats the distribution cycle again, adding itself to any new archives it discovers.

    http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=57812

    none of this really makes any sense to me tho as im wank when it comes to computers.

    m8 thats a really fucking nasty thing you got there … reinstall windows? … by what it sais in the dialog you got from google .. it looks a bit bismal m8 … search a bit more for info .. and post that … atm it don’t look good:yakk: ..find more info ..

    DaftFader wrote:
    m8 thats a really fucking nasty thing you got there … reinstall windows? … by what it sais in the dialog you got from google .. it looks a bit bismal m8 … search a bit more for info .. and post that … atm it don’t look good:yakk: ..find more info ..

    ill have a look for some more info when i get home mate. are you any good with computers?

    djprocess wrote:
    ill have a look for some more info when i get home mate. are you any good with computers?

    i kinda undersatnd most what is written in that page you got from google .. .. im not brillant with comps .. i just kinda know what im looknig at if ya get me ..probably wont be able to fix it for you .. but might be able to help you find a way of doing it 😉 basicaly the worm you got fuckinging mashes up any thing with the extention .zip/.rar and has copyed its self to the %Temp%svchost.exe file extention and spreads through them programs to other comps using p2p as its train if you like …. it fucks with your regastry as well … wich is basicaly every thing that windows is suposed to do … wich is bad .. normaly you can get a registry cleaner and fix things that fuck your regastry .. but you need to get rid of the malware first … a tempoary fix that you will have to do every time you start you comp up is …go ctrl+alt+del and close the prcess of any thing that looks like one of these names (not the bits in the brackets)… W32.Ecup (Symantec), W32/Puce (McAfee), W32/Puce!ITW#1 (WildList), Win32.Puce.D, Win32/Puce.d!Trojan, W32/Puce-H (Sophos), P2P-Worm.Win32.Kapucen.b (Kaspersky) win32/puce.D …. and %Temp%svchost.exe ….that isn’t a very cock sure method of fixing it .. but i think that will disable it on tempoaraly untill you restart your comp … but thats a far i understand .. might have some other shit as well .. but try see if it help tempoaraly … (when removing it you will probably need to dissable the process of the thing any way as the first step) …. thats all i can help with atm with that info .. gonna go do some digging about it in a bit .. need to get rid of this fucking hangover first tho 😥

    DaftFader wrote:
    i kinda undersatnd most what is written in that page you got from google .. well kinda understand .. im not brillant with comps .. i just kinda know what im looknig at if ya get me ..probably wont be able to fix it for you .. but might be able to help you find a way of doing it 😉

    i think i may have it sorted now. well someone’s helping me anyway. If you do find anything out let me know tho.

    djprocess wrote:
    i think i may have it sorted now. well someone’s helping me anyway. If you do find anything out let me know tho.

    read the post b4 .. might help m8

    DaftFader wrote:
    read the post b4 .. might help m8

    sound. nice one.

0

Voices

8

Replies

Tags

This topic has no tags

Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.