Parvulus
Parvulus
Type P2P worm
Creator Retro
Date Discovered 13-APR-2006
Place of Origin Wiltshire, United Kingdom
Source Language C#
Platform .Net
File Type(s) .exe
Infection Length 49,152 bytes
Reported Costs

Parvulus, also known as Lupar and Antiped, is a worm infecting the .NET platform. It spreads through peer-to-peer networks and network shares. It also opens a backdoor, looks for possible child pornography images, and sends information about the system to the person who wrote it. It appeared in Ready Rangers Liberation Front magazine.

Table of Contents

Behavior

Parvulus comes through Kazaa, Limewire, BearShare, eDonkey, and DCPlusPlus file share folders. It will have one of the following file names:

  • My_Girl_9yo_042.jpg.exe
  • pthc_pre-Slideshow.87pixs.jpg.exe
  • Pedo - 2 13yo girl masturbating 14yo boy.jpg.exe
  • preteen - Emily 7yr pedo fuck.jpg.exe
  • NEW! 2_Pedo Pedofilia Kids Child Porn 666.jpg.exe
  • 2 9yo girls and 12yo boy.jpg.exe
Parvulus.png
A Parvulus icon

It may also arrive in a shared folder under a random name.n When executed, Parvulus creates the file PARVULUS.EXE in a randomly chosing folder already existing on the system. It creates the registry key HKEY_CURRENT_USER\Software\Retro\Parvalus, where it stores information about the worm.

Parvulus then creates the folder "\p\a\r\v\u\l\u\s" in the system folder. It scans all folders on the system for .JPG files with the following strings and places them in the \p\a\r\v\u\l\u\s folder if it finds them:

  • pthc
  • Photo By Carl - Pedo
  • preteen
  • childlover
  • child porn
  • 8yo
  • 9yo
  • 10yo
  • 11yo
  • 12yo

It creates a text file with a random file name plus .txt in the System folder. In this file it stores the computer name, the OS version, the system's IP address, host name, user name, time the worm was executed, and the names of the .jpg files moved.

Parvulus opens a backdoor by connecting to the FTP server ftp.host.sk with the user name parvulus, and the password f455464pp9. It uploads the text file with the system information to this server. It also runs an FTP server on the infected computer with a copy of itself named PARVULUS.EXE.

It adds the following registry key if any .jpg files are moved:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\shutdown = cmd.exe /c shutdown -f

Name

"Parvulus" is Latin for "little one". Retro has given previous viruses and worms Latin names, such as Idoneus (worthy) and Letum (lethargy). This particular name was probably chosen because it involved young children.

Origin

Parvulus was coded by Retro in Britain in 1996. It was coded in C# and works mostly under version 2.0 of the .NET framework. It can theoretically infect Windows Mobile and Pocket PC devices.

Sources

Retro. Ready Rangers Liberattion Front Magazine. Parvulus Source Code.

Symantec Security Response, MSIL.Lupar.A. 16-APR-2006

VSantivirus, Lupar.A. Se propaga vía recursos compartidos y P2P. 16-APR-2006

.net.net_worm20062006_wormimagenetwork_wormp2pp2p_wormready_rangers_liberation_frontretroworm
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License