I-Worm/Luder

I-Worm/LUDER.A

infector:

size: 27136
packer: PE_Patch.PECompact,PecBundle
MD5: FFEC6711580B6067599E1A715D18C2E8

size: 32768
packer: PE_Patch.PECompact,PecBundle
MD5: 0E13101667E34299ADC7DB7C73DBA2C1

size: 52736
packer: no
MD5: A1AA203E9D783FB526BA7A569CE42593

size: 78848
packer: no
MD5: 3D3BAC32CBA050903F9DC92516912916

size: 77824
packer: no
MD5: 8C077E994AA2438937F0DAB128DD1881

size: 81920
packer: no
MD5: 5E2C8442F7D3C1C689BC6EA351C48010

Of course there is possibility of more variants.

Names,aliases:

Win32/Luder.worm.27648.B (AhnLab-V3), Worm/Luder.A.2 (AntiVir), Win32:Luder-H (Avast), Worm.Luder.A-2 (ClamAV), Win32.HLLM.Duel (DrWeb), Win32.Luder.a (eSafe), Win32/Malum.BKCF (eTrust-Vet), Worm.Luder.a (Ewido), W32/Duel.A@mm (Fortinet), Email-Worm.Win32.Luder.a (F-Secure), Email-Worm.Win32.Luder.A (Ikarus), Email-Worm.Win32.Luder.a (Kaspersky), W32/Duel@MM (McAfee), Win32/Luder (NOD32v2), W32/Luder.A@mm (Norman), W32.Luder@mm, (Sunbelt), W32.Luder@mm (Symantec), W32/Luder.a (TheHacker), Email-Worm.Win32.Luder.a (VBA32), I-Worm.Luder.C (VirusBuster), Worm.Luder.A.2 (Webwasher-Gateway)

Behavior:

Combination of i-worm and file infector of PE files.

i-worm: Copy itself with many various names.

In first Step creates it's own copy named Duel.exe with hiddeen attribute in folder %SystemRoot%\system32.

After that, create these registry keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

to run this copy.

In next step starts propagating itself with generic names on disk drive from where was executed at begining. In same time also modificates PE EXE files. There is always a pair of files: one with generic name and .duel extension and infected PE with .EXE extension in same folder.

Pay attention, also infects .RAR archive files (no matter if they contains EXE files or not). Adds a two copies of itself with generic names and .EXE extension in to the root of archives.

Its's running at its own name, visible at task list as process until Restart, Turn of or Logout/Login. There is no stealth or rootkit features. After that its runs as Duel.exe, also visible at task list on Process tab.

Parasitic file infector:

Modificates PE EXE files, keeps original size and time stamp. Modifies code and makes file corrupted (it's caused by error in viral code).

Infected file is modified always at the end of first section (in free space from section alingment). Here wrotes 0x98 bytes of viral code and rewrites entry point at this address, on end of its code writes jump at original entry point. Viral code is in general API funtion calls to run WinExec function with name of paired .duel file, that keeps infector alive.

Remover:

Usage:

Rmluder (check and repair all accessible disk drives)
Rmluder C: (check and repair entire C drive)
Rmluder C: D: (check and repair C a D drives)
Rmluder C:\Windows (check and repair files in folder C:\Windows)
Rmluder C:\Windows\explorer.exe (check and repair C:\Windows\explorer.exe)

Remover features:

if AVG is installed, correctly registrates itself in resident shield to aviod collision with it.

If is founded locked file (unable to open), remover arrange removing in time after booting computer when system files are not locked yet.

Files RMVIRUS.DOS and Rmvirus32.nt are part of remover for repairing before booting Windows 98 or Windows 2000

You must have administrator privilegies to run remover, remover test it at the begining.

Repaired files are difrent from odiginals (except a few), but they are working.

Download the following three files rmluder.exe, rmluder.nt and rmluder.dos and run the rmluder.exe.

Awards & Certifications

AVG products are running on over 177 million computers worldwide.

Windows 7 Compatible

Windows 7 compatibleAVG products are compatible with Windows 7

Business Solutions Magazine "Best Channel Vendor"

Business Solutions MagazineBusiness Solutions Magazine named AVG "Best Channel Vendor" of 2010.

See all AVG awards