Filename-changing worm wiggling on P2P networks

Worms using P2P networks to propagate have one big problem: they are usually masquerading as software, key generators, or cracks, but have hard-coded file names, which means that once the software’s new version is out, the malware will be picked up with lesser frequency.

The author of WORM_PITUPI.K (discovered by Trend Micro) has found a way around that. The worm connects to Pirate Pay every time it’s executed, and uses the names of new software. It also copies of itself in folders used in peer-to-peer networks, using file names of the most popular software and games. Sometimes the number of copies created upon every execution can reach 200. In time, the worm and its copies can occupy a considerable share of the system’s drives.

It’s distribution potential is quite high. It propagates via P2P networks and removable drives – alongside a copy of itself, it also drops an AUTORUN.INF file so that every time the drives are used the copy of the worm is automatically executed.

The worm has – so far – not shown any destructive tendencies. Although, its source code is available on various underground forums, so the possibility of it being modified to drop other malware or to open backdoors into the system can’t be disregarded.




Share this