Duload
Aliases: Worm.P2P.Duload, W32.Duload

Type: Peer-to-Peer file sharing virus
Systems Affected: Windows systems using the KaZaA network.
Payload: Creates file share on affected users' drives
ITW: Yes
Origin:

Description: According to Kaspersky Labs, Duload drops a copy of itself, named SYSTEMCONFIG.EXE, to the C:\Windws\System folder. The Duload worm then modifies the registry to load in start-up, by placing the value 'Windows System Configure=C:\Windows\System\SystemConfig.exe' to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Duload also creates a subdirectory under C:\Windows\System titled 'Media'. The worm shares the directory as part of the KaZaA network and places multiple instances of itself in the directory using provocative titles such as: Alicia Silverstone Payboy Nude.exe DDos Client.exe Email Bomber.exe Free Porn.exe Hoes For You Solitare.exe Jenna Jamison Dildo Humping.exe Shakira Dancing.exe Xbox Iso 2 Rom Converter.exe Warcraft 3 Battle.net Crack.exe

A more complete list of titles can be found here.

As users of the file-sharing networks download these titles, more persons become infected. The Duload worm also has the capability to act as a Trojan downloader.