W32/Pusia.A Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Pusia.A Worm

Information about the W32/Pusia.A Worm:

W32/Pusia.A is a mass mailing worm. The worm will infect Windows systems and spreads through email.

Upon execution, the worm creates:

03.vbs, 04.vbs and 05.vbs in the Windows folder,
pusia.cat, pusia.pkv and pusia.pkr in the SystemDrive.

It modifies the registry at the following location to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm also modifies the following registry entries, to disable Regedit and Task Manager:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explîrer\"NoClose"

The worm also checks for the following registry subkey:

HKEY_CURRENT_USER\Software\Mail.Ru\Agent

It stores the gathered information in the %SystemDrive%\pusia.cat file and emails this to the attacker. The email has the following characteristics:

The 'To' address of the email will be:

pusiacat@bk.ru

The 'From' address of the email will be:

PusiA (EMAIL ADDRESS)

where (EMAIL ADDRESS) is any of the following:
demon@mail.ru, satana@mail.ru or soulriver@mail.ru

The 'Subject' of the email will be:

[CONTENTS OF PUSIA.PKR]

The 'Body' of the email will be:

"Çà âñå îáèäû !!! Çà âñ¸ ïëîõîå !!! Çà âñ¸ !!! Çà âñ¸ !!! Ïðîñòè... "

The name of the 'attachment' will be:

pusia.cat

The worm then scans the following folder, including the subfolders to gather the email addresses:
%UserProfile%\Application Data\Mra

The worm sends emails to all the gathered email addresses, that contains a URL which links to a copy of the worm or other threats. One email is sent every 65 seconds. The email has the following characteristics:

The 'From' address of the email will be:

Oòêðûòêè Mail.ru (EMAIL ADDRESS)

The 'Subject' of the email will be:

Âàì ïðèøëà îòêðûòêà îò : [CONTENTS OF PUSIA.PKR]

The 'Body' of the email will be:

Çäðàâñòâóéòå, íà Âàøå èìÿ îòïðàâëåíà îòêðûòêà. Îòïðàâèòåëü îòêðûòêè: "&line&" Îòêðûòêà æä¸ò [REMOVED] ñêîïèðóéòå åå â àäðåñíóþ ñòðîêó èíòåðíåò-áðàóçåðà. Îòêðûòêà áóäåò äîæèäàòüñÿ Âàñ â òå÷åíèå 90 äíåé.

This worm first appeared on June 17, 2007.

Other names of W32/Pusia.A Worm:

This Worm is also known as W32.Pusia.A@mm.

Download the FREE Evaluation copy of Protector Plus antivirus software

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2009 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software