Of course there is possibility of more variants.
Win32/Luder.worm.27648.B (AhnLab-V3), Worm/Luder.A.2 (AntiVir), Win32:Luder-H (Avast), Worm.Luder.A-2 (ClamAV), Win32.HLLM.Duel (DrWeb), Win32.Luder.a (eSafe), Win32/Malum.BKCF (eTrust-Vet), Worm.Luder.a (Ewido), W32/Duel.A@mm (Fortinet), Email-Worm.Win32.Luder.a (F-Secure), Email-Worm.Win32.Luder.A (Ikarus), Email-Worm.Win32.Luder.a (Kaspersky), W32/Duel@MM (McAfee), Win32/Luder (NOD32v2), W32/Luder.A@mm (Norman), W32.Luder@mm, (Sunbelt), W32.Luder@mm (Symantec), W32/Luder.a (TheHacker), Email-Worm.Win32.Luder.a (VBA32), I-Worm.Luder.C (VirusBuster), Worm.Luder.A.2 (Webwasher-Gateway)
Combination of i-worm and file infector of PE files.
i-worm: Copy itself with many various names.
In first Step creates it's own copy named Duel.exe with hiddeen attribute in folder %SystemRoot%\system32.
After that, create these registry keys
to run this copy.
In next step starts propagating itself with generic names on disk drive from where was executed at begining. In same time also modificates PE EXE files. There is always a pair of files: one with generic name and .duel extension and infected PE with .EXE extension in same folder.
Pay attention, also infects .RAR archive files (no matter if they contains EXE files or not). Adds a two copies of itself with generic names and .EXE extension in to the root of archives.
Its's running at its own name, visible at task list as process until Restart, Turn of or Logout/Login. There is no stealth or rootkit features. After that its runs as Duel.exe, also visible at task list on Process tab.
Parasitic file infector:
Modificates PE EXE files, keeps original size and time stamp. Modifies code and makes file corrupted (it's caused by error in viral code).
Infected file is modified always at the end of first section (in free space from section alingment). Here wrotes 0x98 bytes of viral code and rewrites entry point at this address, on end of its code writes jump at original entry point. Viral code is in general API funtion calls to run WinExec function with name of paired .duel file, that keeps infector alive.
Rmluder (check and repair all accessible disk drives)
Rmluder C: (check and repair entire C drive)
Rmluder C: D: (check and repair C a D drives)
Rmluder C:\Windows (check and repair files in folder C:\Windows)
Rmluder C:\Windows\explorer.exe (check and repair C:\Windows\explorer.exe)
if AVG is installed, correctly registrates itself in resident shield to aviod collision with it.
If is founded locked file (unable to open), remover arrange removing in time after booting computer when system files are not locked yet.
Files RMVIRUS.DOS and Rmvirus32.nt are part of remover for repairing before booting Windows 98 or Windows 2000
You must have administrator privilegies to run remover, remover test it at the begining.
Repaired files are difrent from odiginals (except a few), but they are working.