W32/Cult-B spreads via file sharing on KaZaA networks and by emailing itself to random email addresses.
The email has the following characteristics:
Subject line: Hi, I sent you an eCard from BlueMountain.com
Message text: To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd
Attached file: BlueMountaineCard.pif
When first run the worm moves itself to the Windows system folder as wuauqmr.exe and creates the registry entries so that wuauqmr.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\NvCpTDaemon = wuauqmr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
\NvCpTDaemon = wuauqmr.exe
The worm creates the folder jdfghtrg in the Windows system folder and copies itself to this folder using the following filenames:
ACDSee 5.5.exe
Ad-aware 6.5.exe
Age of Empires 2 crack.exe
aim cracker.exe steal usernames.exe
aim password cracker aol cracker.exe
Animated Screen 7.0b.exe
Anno 1503_crack.exe
AOL Instant Messenger.exe
aol password cracker.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
AVP_Crack.exe
BabeFest 2003 ScreenSaver 1.5.exe
Babylon 3.50b reg_crack.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
BitDefender.KeyGen.exe
Borland KeyGens.exe
Business Card Designer Plus 7.9.exe
C&C Generals_crack.exe
C&C Renegade_crack.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Coffee Cup Free HTML 7.0b.exe
Cool Edit Pro v2.55.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Diablo 2 Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
DivX 5.03 Codecs.exe
divx pro.exe
DivX Video Bundle 6.5.exe
Download accelarator.exe
Download Accelerator Plus 6.1.exe
driver.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
FIFA2003 crack.exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GetRight 5.0a.exe
Global DiVX Player 3.0.exe
Gothic 2 licence.exe
GTA 3 Crack.exe
GTA 3 patch (no cd).exe
GTA 3 Serial.exe
gta3.exe
Guitar Chords Library 5.5.exe
HackNTTools.zip .exe
Hitman_2_no_cd_crack.exe
Hot Babes XXX Screen Saver.exe
hotgirls.exe
how to hack.exe
how to use a shell.pif,
ICQ Lite (new).exe
ICQ Pro 2003a.exe
ICQ Pro 2003b (new beta).exe
iMesh 3.6.exe
iMesh 3.7b (beta).exe
IrfanView 4.5.exe
KaZaA Hack 2.5.0.exe
KaZaA Lite (New).exe
KaZaA Speedup 3.6.exe
Links 2003 Golf game (crack).exe
Living Waterfalls 1.3.exe
Mafia_crack.exe
Matrix Screensaver 1.5.src,
MediaPlayer Update.exe
mIRC 6.40.exe
MP3 encoder_decoderV1.8.exe
mp3Trim PRO 2.5.exe
MSN Messenger 5.2.exe
NBA2003_crack.exe
Need 4 Speed crack.exe
Nero Burning ROM crack.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Neverwinter_Nights_licence.exe
NHL 2003 crack.exe
Nimo CodecPack (new) 8.0.exe
Nod32Crack.exe
PaintShop Pro 7 Crack_By_Force.exe
PalTalk 5.01b.exe
PANDA.AVers.lusers.exe
PANDA.lusers.exe
play station emulator crack.exe
play station emulator.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
porn.exe
QuickTime_Pro_Crack.exe
Serials 2003 v.8.0 Full.exe
SM.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
SMS_sender.exe
SophosCrackAllVersion.exe
Space Invaders 1978.exe
Splinter_Cell_Crack.exe
Steinberg_WaveLab_5_crack.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
UT2003_bloodpatch.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
UT2003_patch.exe
Virtua Girl (Full).exe
virtua girl - adriana.pif virtua girl - bailey short skirt.pif,
warcraft 3 crack.exe 100 free essays school.pif,
warcraft 3 serials.pif,
WarCraft_3_crack.exe
Winamp 3.8.exe
WindowBlinds 4.0.exe
WinOnCD 4 PE_crack.exe
WinZip 9.0b.exe
worldbook.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
ZoneAlarm Pro KeyGen.exe
zoneallarm_pro_crack.exe
The worm makes the jdfghtrg folder shareable on KaZaA networks by creating the registry entry:
HKCU\Software\Kazaa\LocalContent\Dir0
= 012345:%SYSTEM%\jdfghtrg\
Each time the worm is run it performs a Denial-of-Service attack on either www.chat-planet.nl or chat.planet.nl by repeatedly creating and destroying connections to the chosen site.