Worn virus that spoofs google site

From: Prosperity4
Published: Thu Sep 22 2005

A worm that is spreading over file-sharing networks is redirecting users to a site that mimics Google.

The worm attempts to spread by copying itself using the name "Knights of the Old Republic 2," which refers to a Star Wars related video game. When users run the file, an error message pops up and the computer is then infected with the worm dubbed P2Load.A.

Packaged to look like a small online freebie, the -byte worm throws up a fake error message when run. The poorly worded prompt encourages Windows (XP, 2000, 2003, NT, ME, 98) users to click on the OK button to download a current version of "vb2.dll". Instead, an infection ensues.

The page is an exact copy of Google and supports the 17 languages of Google and redirects users even if they make a mistake while entering the address, such as 'wwwgoogle.com', 'www.gogle.com' or 'www.googel.com', and therefore users are not aware of the change.

The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser.

Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: in both cases, the motivation of the author of this malware is purely financial.

There are fears that this spoof Google could be used as a new way to lure people into phishing scams.

Eliminating the worm on an infected PC requires that the hosts file be restored from an earlier version and the deletion of the following registry entry:

HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion
Winlogin = %sysdir% winlogin.exe

...where %sysdir% is the Windows system directory.

A quick reboot then sets things right again. Alternately, users are asked to run a virus scan. Panda and Symantec both detect and remove the worm.

P2load.A carries a "medium" threat level.
Company: Prosperity4
Contact Name: Liam Paulus
Contact Email: liamp@prosperity4.com
Contact Phone: 0800 5877474

Visit website »