Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438
Worm:Win32/Prolaco.gen!C
Article URL malware.php?mal_id=101659340549db6cc479b3e0.45108438
Author SecurityHome.eu
Published: 07 April 2009
Aliases :
Worm:Win32/Prolaco.gen!C
is also known as Also Known As:Trojan.Win32.Buzus.apot (Kaspersky), W32/Buzus.LGC (Norman), W32/Autorun-ABH (Sophos), Win32/Merond.G (ESET), Win32/Fruspam.S (CA), IRC/Flood.dr (McAfee), W32.Ackantta.B@mm (Symantec)
.
Explanation :
Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware: * The presence of the following files:
* The presence of the following registry modifications: Adds value: "Sun Java Updater v7.11" With data: "
Page 1/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438
HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorized ApplicationsList
Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Installation
Worm:Win32/Prolaco.gen!C creates the following files upon execution: *
*
*
It modifies the registry to execute its copy at each Windows start: Adds value: "Sun Java Updater v7.11" With data: "
Page 2/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 certific cisco clamav contact debian drweb eset.com example f-secure feste firefox ghisler.com gold-certs honeynet honeypot ibm.com icrosof icrosoft idefense ikarus inpris isc.o isi.e jgsoft kaspersky kernel lavasoft linux listserv mcafee messagelabs mit.e mozilla mydomai nobody nodomai noone nothing novirusthanks ntivi nullsoft.org panda postmaster prevx privacy qualys quebecor.com rating redhat rfc-ed ruslis samba samples secur security sendmail service slashdot somebody someone
Page 3/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438
sopho sourceforge ssh.com submit sun.com support syman sysinternals tanford.e the.bat usenet utgers.ed virus virusbuster webmaster winamp wireshark www.ca.com
The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco.gen!C uses the following strings as a prefix to guess the mx record:
mx.%s mail.%s smtp.%s mx1.%s mxs.%s mail1.%s relay.%s ns.%s gate.%s E-mail messages are generated by the worm and sent to the collected e-mail addresses. Messages may be in the following or similar format: From: [email protected] Subject: You have received A Hallmark E-Card! Attachment postcard.exe (Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.) P2P File Sharing NetworksWin32/Prolaco.gen!C copies itself to the following shared folders of popular peer-to-peer file sharing applications: %ProgramFiles%icqshared folder %ProgramFiles%grokstermy grokster %ProgramFiles%emuleincoming %ProgramFiles%morpheusmy shared folder %ProgramFiles%limewireshared %ProgramFiles% eslafiles %ProgramFiles%winmxshared C:Downloads
The worm may create copies of itself in these folders with the following enticing filenames: Absolute Video Converter 6.2.exe Ad-aware 2009.exe Adobe Acrobat Reader keygen.exe Adobe Photoshop CS4 crack.exe Alcohol 120 v1.9.7.exe AnyDVD HD v.6.3.1.8 Beta incl crack.exe Avast 4.8 Professional.exe AVS video converter6.exe BitDefender AntiVirus 2009 Keygen.exe CheckPoint ZoneAlarm And AntiSpy.exe
Page 4/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438
CleanMyPC Registry Cleaner v6.02.exe Daemon Tools Pro 4.11.exe Divx Pro 6.8.0.19 + keymaker.exe Download Accelerator Plus v8.7.5.exe Download Boost 2.0.exe DVD Tools Nero 9 2 6 0.exe G-Force Platinum v3.7.5.exe Google Earth Pro 4.2. with Maps and crack.exe Grand Theft Auto IV (Offline Activation).exe Internet Download Manager V5.exe K-Lite codec pack 3.10 full.exe K-Lite codec pack 4.0 gold.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Magic Video Converter 8 0 2 18.exe Microsoft Office 2007 Home and Student keygen.exe Microsoft Visual Studio 2008 KeyGen.exe Microsoft.Windows 7 Beta1 Build 7000 x86.exe Motorola, nokia, ericsson mobil phone tools.exe Myspace theme collection.exe Nero 9 9.2.6.0 keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Opera 9.62 International.exe PDF password remover (works with all acrobat reader).exe Perfect keylogger family edition with crack.exe Power ISO v4.2 + keygen axxo.exe Smart Draw 2008 keygen.exe Sony Vegas Pro 8 0b Build 219.exe Sophos antivirus updater bypass.exe Super Utilities Pro 2009 11.0.exe Total Commander7 license+keygen.exe Tuneup Ultilities 2008.exe Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe VmWare keygen.exe Winamp.Pro.v6.53.PowerPack.Portable+installer.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Windows XP PRO Corp SP3 valid-key generator.exe Windows2008 keygen and activator.exe WinRAR v3.x keygen RaZoR.exe Youtube Music Downloader 1.0.exe Removable Drives Win32/Prolaco.gen!C copies itself to the following location on removable drives:
It then creates '
Web Servers If the worm infects a computer that is running IIS, it attempts to replace the legitimate Web root or Index file stored in the folder '%root%inetpubwwwrootindex.htm' with a page containing the following message:
Security warning! Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following
Page 5/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438
MS09-067 hotfix in order to be able to watch this website.
'MS09-067' is a hyperlink to a dropped copy of the worm, for example: '%root%inetpubwwwrootms09-067.exe'.
Payload
Lowers Security Settings Win32/Prolacto.gen!C makes the following changes to an infected system which results in lowered security settings: * Adds worm as an authorized application in the Windows firewall policy by modifying the registry: Sets value: "
* Disbales update notifications and the auto-update feature for Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000001 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv Start = dword:00000004
Deletes Files Worm:Win32/Prolaco.gen!C searches for the installation directory of the file Mcshield.exe by looking at the following registry entry: HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngineszInstallDir If found, it deletes this file. This file may be related to McAfee security software.Additional InformationWin32/Prolaco.gen!C connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine. The worm may also query the following web sites to obtain further information:
gin.ntt.net whois.ripe.net whois.afrinic.net whois.v6nic.net whois.nic.or.kr whois.apnic.net whois.nic.ad.jp whois.arin.net whois.lacnic.net whois.nic.br whois.twnic.net rwhois.gin.ntt.net
Analysis by Elda Dimakiling
Last update 07 April 2009
Page 6/6