Name: Worm.P2P.Gotor Category: Viruses Description: Details Worm.P2P.Gotorm This is a Worm virus. It spreads through the peer-to-peer network Kazaa. Additionally, it performs some spying functions, gathering data on certain games installed on the affected PC. This worm is a Windows application (PE EXE-file). It is written in Visual C, and its size is 196 608 bytes. Installation During installation the worm produces the following false error message concerning the archive extraction: Subsequently it writes itself into the Windows directory under the following name: mrowyekdc.exe This installation of the worm is then registered in the auto run key within the system registry: HKLMSoftwareMicrosoftWindowsCurrentVersionRun SVCHOST = %WindowsDir%mrowyekdc.exe Spreading The worm creates a folder named "User Files" in the Windows directory and writes itself into it under the following names: Starcraft + Broodwar 1.10 map hack.exe Starcraft + Broodwar 1.10 no-cd hack.exe Diablo 2 map hack.exe Diablo 2 no-cd hack.exe Jamella's Diablo 2 hero editor.exe Warcraft 3 map hack.exe Warcraft 3 stat hack.exe Warcraft 3 no-cd hack.exe Warcraft 3 Frozen Throne map hack.exe Warcraft 3 Frozen Throne cd-cd hack.exe The Frozen Throne map hack.exe Counterstrike hacks.exe Counterstrike aim hack.exe This folder is then noted in the Windows system registry as Local Content for the file exchange network Kazaa: HKCUSoftwareKazaaLocalContent dir0 = 012345:%Windir%User Files DisableSharing = "0 As a result, the files contained in this folder become available for download to other users of P2P networks. Spy function The worm checks the system registry for keys relating to popular computer games (Counter Strike, Diablo, Warcraft, Starcraft) and sends gathered data to the worm's "owner" using an SMTP-server connection. Miscellaneous The worm checks the system's date and time. If the month of the worm's activation is earlier than August it ceases performing its functions and deletes all its entries in the system registry.