Email-Worm.Win32.Prolin

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet by using MS Outlook. The worm itself is a Windows EXE file about 37Kb in length, and written in VisualBasic. The worm uses a standard MW97_Melissa-like way of spreading: it opens the MS Outlook address book, obtains addresses from there, and sends its copies to these addresses. The message reads as follows:

Subject: A great Shockwave flash movie
Message text:

Check out this new flash movie that I downloaded just now … It’s Great
Bye

Attach name: creative.exe

A great Shockwave flash movie

The worm then sends a “notification” message to its author and informs him about the next infected computer:

To: z14xym432@yahoo.com
Subject: Job complete
Message text: Got yet another idiot

Job complete - Message

The worm also creates its copies on the C: disk with the following names:

C:creative.exe
C:WINDOWSStart MenuProgramsStartUpcreative.exe

The second copy is placed in the auto-run directory so it will be activated upon each Windows restart.

The worm has a dangerous payload. It scans all disk drives, obtains ZIP, MP3, and JPG files, and renames them to C: drive with the following name:

C:%victimfile%change atleast now to LINUX

for example, BGAMEX.JPG and DATA.ZIP are moved to:

C:BGAMEX.JPGchange atleast now to LINUX
C:DATA.ZIPchange atleast now to LINUX

The worm also creates the text file “c:messageforu.txt”, writes the text there and adds list of removed files, such as the following:

Hi, guess you have got the message. I have kept a list of files that I
have infected under this. If you are smart enough just reverse back the
process. i could have done far better damage, i could have even
completely wiped your harddisk. Remember this is a warning & get it sound
and clear… – The Penguin
C:WINDOWSSYSTEMOOBEIMAGEXBGAMEX.JPG
C:BACKUPDATA.ZIP