W32/Pepa-A

Category: Viruses and Spyware Protection available since:07 Nov 2006 00:00:00 (GMT)
Type: Win32 worm Last Updated:07 Nov 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Pepa-A is a worm and IRC backdoor Trojan for the Windows platform.

W32/Pepa-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Pepa-A attempts to spread via peer-to-peer applications, IRC and MSN Messenger.

The worm contains functionality to log keypresses, participate in denial-of-service attacks and download further executable code.

When first run W32/Pepa-A copies itself to:

<Startup>\MSN Messenger.exe
<Startup>\Windows XP pro.exe
<Startup>\NetDaemon.exe
<Startup>\Windows Services.exe
\My Downloads\101_Porn_Movies.exe
\My Downloads\Hotmail_Hacker_Pro.exe
\My Downloads\Paris_Hilton_Sex_Video.scr
\My Downloads\WinXpPro.exe
\My Shared Folder\101_Porn_Movies.exe
\My Shared Folder\Hotmail_Hacker_Pro.exe
\My Shared Folder\Paris_Hilton_Sex_Video.scr
\My Shared Folder\WinXpPro.exe
<Program Files>\BearShare\Shared\101_Porn_Movies.exe
<Program Files>\BearShare\Shared\Hotmail_Hacker_Pro.exe
<Program Files>\BearShare\Shared\Paris_Hilton_Sex_Video.scr
<Program Files>\BearShare\Shared\WinXpPro.exe
<Program Files>\Grokster\My Grokster\101_Porn_Movies.exe
<Program Files>\Grokster\My Grokster\Hotmail_Hacker_Pro.exe
<Program Files>\Grokster\My Grokster\Paris_Hilton_Sex_Video.scr
<Program Files>\Grokster\My Grokster\WinXpPro.exe
<Program Files>\KaZaA\My Shared Folder\101_Porn_Movies.exe
<Program Files>\KaZaA\My Shared Folder\Hotmail_Hacker_Pro.exe
<Program Files>\KaZaA\My Shared Folder\Paris_Hilton_Sex_Video.scr
<Program Files>\KaZaA\My Shared Folder\WinXpPro.exe
<Program Files>\Kmd\My Shared Folder\101_Porn_Movies.exe
<Program Files>\Kmd\My Shared Folder\Hotmail_Hacker_Pro.exe
<Program Files>\Kmd\My Shared Folder\Paris_Hilton_Sex_Video.scr
<Program Files>\Kmd\My Shared Folder\WinXpPro.exe
<Program Files>\Limewire\My Shared Folder\101_Porn_Movies.exe
<Program Files>\Limewire\My Shared Folder\Hotmail_Hacker_Pro.exe
<Program Files>\Limewire\My Shared Folder\Paris_Hilton_Sex_Video.scr
<Program Files>\Limewire\My Shared Folder\WinXpPro.exe
<Program Files>\MSN Messenger\shared folder\101_Porn_Movies.exe
<Program Files>\MSN Messenger\shared folder\Hotmail_Hacker_Pro.exe
<Program Files>\MSN Messenger\shared folder\Paris_Hilton_Sex_Video.scr
<Program Files>\MSN Messenger\shared folder\WinXpPro.exe
<Program Files>\Messenger\shared folder\101_Porn_Movies.exe
<Program Files>\Messenger\shared folder\Hotmail_Hacker_Pro.exe
<Program Files>\Messenger\shared folder\Paris_Hilton_Sex_Video.scr
<Program Files>\Messenger\shared folder\WinXpPro.exe
<Program Files>\Morpheus\My Shared Folder\101_Porn_Movies.exe
<Program Files>\Morpheus\My Shared Folder\Hotmail_Hacker_Pro.exe
<Program Files>\Morpheus\My Shared Folder\Paris_Hilton_Sex_Video.scr
<Program Files>\Morpheus\My Shared Folder\WinXpPro.exe
<Program Files>\Shareaza\Downloads\101_Porn_Movies.exe
<Program Files>\Shareaza\Downloads\Hotmail_Hacker_Pro.exe
<Program Files>\Shareaza\Downloads\Paris_Hilton_Sex_Video.scr
<Program Files>\Shareaza\Downloads\WinXpPro.exe
<Program Files>\eDonkey2000\Incoming\101_Porn_Movies.exe
<Program Files>\eDonkey2000\Incoming\Hotmail_Hacker_Pro.exe
<Program Files>\eDonkey2000\Incoming\Paris_Hilton_Sex_Video.scr
<Program Files>\eDonkey2000\Incoming\WinXpPro.exe
<Program Files>\eDonkey2000\My Shared Folder\101_Porn_Movies.exe
<Program Files>\eDonkey2000\My Shared Folder\Hotmail_Hacker_Pro.exe
<Program Files>\eDonkey2000\My Shared Folder\Paris_Hilton_Sex_Video.scr
<Program Files>\eDonkey2000\My Shared Folder\WinXpPro.exe
<Program Files>\icq\Shared Files\101_Porn_Movies.exe
<Program Files>\icq\Shared Files\Hotmail_Hacker_Pro.exe
<Program Files>\icq\Shared Files\Paris_Hilton_Sex_Video.scr
<Program Files>\icq\Shared Files\WinXpPro.exe
<Program Files>\mirc\downloads\101_Porn_Movies.exe
<Program Files>\mirc\downloads\Hotmail_Hacker_Pro.exe
<Program Files>\mirc\downloads\Paris_Hilton_Sex_Video.scr
<Program Files>\mirc\downloads\WinXpPro.exe
<Program Files>\overnet\incoming\101_Porn_Movies.exe
<Program Files>\overnet\incoming\Hotmail_Hacker_Pro.exe
<Program Files>\overnet\incoming\Paris_Hilton_Sex_Video.scr
<Program Files>\overnet\incoming\WinXpPro.exe
<Windows>\Profiles\All Users\Start Menu\Programs\StartUp\MSN Messenger.exe
<Windows>\Profiles\All Users\Start Menu\Programs\StartUp\Windows XP pro.exe
<Windows>\WinServices.exe
<System>\mswin.exe

and may create the following files:

<Windows>\Registration\(02D4B3F1-FD88-11D1-960D-00805FC79235). (B228AB93-5BA2-499C-9833-0B6A6412C9A2).crmlog
<System>\Logfiles\w3svc1\ex061107.log
<Windows>\temp.reg

The following registry entries are created to run mswin.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
mscom32
<System>\mswin.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mscom32
<System>\mswin.exe

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\NetDaemon\

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy