I'm doing a scan with Mcafee's FreeScan and C:\_RESTORE\ARCHIVE\FS2.CAB came up as a "New P2P Worm." So, I search for it on Google and all that came up was a brief reference in a post on a German message board. The translation was incomprehensible to me. Anyone have any idea if this a real virus or just a false positive? Thanks for any helpful replies.

Originally posted by Wings_of_Azrael
I'm doing a scan with Mcafee's FreeScan and C:\_RESTORE\ARCHIVE\FS2.CAB came up as a "New P2P Worm." So, I search for it on Google and all that came up was a brief reference in a post on a German message board. The translation was incomprehensible to me. Anyone have any idea if this a real virus or just a false positive? Thanks for any helpful replies.

This may be it.....?

http://vx.netlux.org/news_body.shtml#1037001167

No word on any virus program sites....sooooo I donno.

I think I've found it.....

Virus Name Risk Assessment
Home Users Corporate Users

W32/Duload.worm Low-Profiled Low-Profiled



Virus Information:
Date Discovered: 8/21/2002
Date Added: 8/22/2002
Origin: Unknown
Length: 18,432 bytes
(7,680 bytes UPX packed)
Type: Virus
SubType: P2P Worm
DAT Required: 4220

Quick Links:
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Send Virus Info via Email





Update VirusScan
Online


Download the latest
DAT files




Virus Characteristics:

-- Update August 22, 2002 --
The risk assessment was updated to Low-Profiled due to media attention.
Written in Visual Basic 6, this worm attempts to spread via KaZaa peer-to-peer file-sharing networks.

McAfee products with program heuristics enabled with the 4215 DATs or greater, detect the unpacked worm as 'virus or variant New P2P Worm'.

the worm installs itself to %WinDir%\System as SYSTEMCONFIG.EXE (eg. c:\Windows\System\systemconfig.exe).
The following Registry keys are added to run the worm at subsequent system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe


the worm copies itself into the following directory (creating it if necessary) %WinDir%\System\Media. Various filenames are used, designed to entice other KaZaa users to run the worm:
Alicia Silverstone Payboy Nude.exe
Bingo.exe
Britney Spears Dance Beat.exe
DDos Client.exe
Email Bomber.exe
FileServer.exe
Flash Golf.exe
Free Mpegs.exe
Free Pics.exe
Free Porn.exe
Hoes For You Solitare.exe
Hotmail Hacker.exe
Irc Client.exe
J.Lo Bikini Screensaver.exe
Jenna Jamison Dildo Humping.exe
Kama Sutra Tetris.exe
Kazaa Clone.exe
Mirc 7.0.exe
Napster Clone.exe
Pamela Anderson And Tommy Lee Home Video.exe
Play Games Online For FREE.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Shakira Dancing.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
System Monitor.exe
The Sims Game Crack.exe
Universal Game Crack.exe
Warcraft 3 Battle.net Crack.exe
Website Hacker.exe
Win A Ps2.exe
Win An Xbox.exe
Winace.exe
Windows Hacker.exe
Winmx.exe
Winrar.exe
Winzip.exe
Working Iso Burner.exe
Xbox Emulator.exe
Xbox Iso 2 Rom Converter.exe



Various KaZaa settings are then modified by setting the following Registry keys:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir0" = C:\WINDOWS\SYSTEM\Media\

HKEY_LOCAL_MACHINE\Software\Kazaa\CloudLoad
"ShareDir" = C:\WINDOWS\SYSTEM\Media\

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir1" = C:\WINDOWS\SYSTEM\Media\

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir2" = 012345:C:\WINDOWS\SYSTEM\Media\

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"DisableSharing" = 0

HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir0" = 012345:C:\WINDOWS\SYSTEM\Media\

HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir1"= C:\WINDOWS\SYSTEM\Media\

HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir99" = 012345:C:\WINDOWS\SYSTEM\Media\



Additionally, the worm attempts to download an executable file from a specific URL. It attempts to download the file to C:\UNINSTALL.EXE, and if successful executes it. At the time of writing, this remote file was not available at the URL specified within the worm.





Indications Of Infection:

Existence of the file %WinDir%\System\SystemConfig.exe
Existence of multiple (identical) files in %WinDir%\System\Media\ matching the names listed above





Method Of Infection:

This worm spreads via KaZaa file-sharing networks by enticing users into downloading and running itself.





Removal Instructions:

All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations





Aliases:

W32/Duload.worm.a, W32/Duload.worm.b

Have a good one bro.....clean your PC! LOL


Tata...

Like aren't their new viruses and worms discovered and out almost everday. According to a panda antivirus they update each day if not a few times a day for the new crap.