P2P-Worm.Win32.Palevo

Detect Date 06/26/2009
Class P2P-Worm
Platform Win32
Description

In order to simulate legitimacy, the worm’s file contains dummy information about the file:

The worm locates a process corresponding to a window with the class “Progman” (this is how the malware finds the “explorer.exe” process) and injects its code into this process, then ceases running.

The malicious code injected into this process is installed and performs backdoor functionality. To do this, it connects to the remote hosts:




prcoli***nica.com



krete***epotice.ru



somb***osting.net



84.***.194



dz***tarts.com



Following a command from the malicious user, the worm can perform the following actions:

  1. Download files to the infected computer and launch them for execution. The downloaded files are saved in the user’s temporary folder under random names:
    %Temp%<rnd>.exe

    where <rnd> is a random number.

    It can save the downloaded files under the names “Crack.exe” and “Keygen.exe” to P2P network file sharing directories located on the local machine. It can also save them in the following directory:

    
    
    
    %ALLUSERSPROFILE%Local SettingsApplication DataAresMy Shared Folder

    It obtains the names of P2P network file sharing directories by analyzing the parameters of these system registry keys:

    
    
    
    [HKCUSoftwareBearShareGeneral]
    
    
    
    [HKCUSoftwareiMeshGeneral]
    
    
    
    [HKCUSoftwareShareazaShareazaDownloads]
    
    
    
    [HKCUSoftwareKazaaLocalContent]
    
    
    
    [HKCUSoftwareDC++]
    
    
    
    [HKCUSoftwareMicrosoftWindowsCurrentVersionUninstalleMule Plus_is1]
    
    
    
    
  2. Change the content of the “hosts” file:
    
    
    
    %System%etchosts

    This means that it can block access to the Internet resources visited by the user, or redirect the user to other resources.

  3. Conduct a DoS attack on a server specified by the malicious user.
  4. Copy the worm’s body to all write-accessible network and removable drives.

    It also places the accompanying file shown below in the root of every disk:

    <X>:autorun.inf

    where <X> is the letter of the network drive or removable disk. At the same time, it assigns “hidden” and “system” attributes to the copies of the worm.

    This file launches the executable file from the copy of the worm each time the user accesses the infected disk using Explorer.

  5. Send the names of the Internet resources and their passwords to the malicious user’s address when the user uses the following browsers:
    
    
    
    Mozilla Firefox
    
    
    
    Internet Explorer
    
    
    
    Opera
    
    
    
    

At the time of writing, the worm downloaded its updated version from the following URL, then launched it for execution:

http://188.***.27/jebacina/418.exe