Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438

Worm:Win32/Prolaco.gen!C

Article URL malware.php?mal_id=101659340549db6cc479b3e0.45108438

Author SecurityHome.eu

Published: 07 April 2009

Aliases :

Worm:Win32/Prolaco.gen!C

is also known as Also Known As:Trojan.Win32.Buzus.apot (Kaspersky), W32/Buzus.LGC (Norman), W32/Autorun-ABH (Sophos), Win32/Merond.G (ESET), Win32/Fruspam.S (CA), IRC/Flood.dr (McAfee), W32.Ackantta.B@mm (Symantec)

.

Explanation :

Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.

Symptoms

System ChangesThe following system changes may indicate the presence of this malware: * The presence of the following files: jucshed.exe javase11.exe .dll

* The presence of the following registry modifications: Adds value: "Sun Java Updater v7.11" With data: "jucshed.exe" To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Sets value: "jucshed.exe" With data: "jucshed.exe:*:enabled:explorer" To subkey:

Page 1/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438

HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorized ApplicationsList

Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.

Installation

Worm:Win32/Prolaco.gen!C creates the following files upon execution: * jucshed.exe --> a copy of the worm

* javase11.exe --> detected as Trojan:Win32/Vundo.KO

* .dll --> detected as Trojan:Win32/Vundo.gen!AJ

It modifies the registry to execute its copy at each Windows start: Adds value: "Sun Java Updater v7.11" With data: "jucshed.exe" To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.Spreads Via… E-mail Win32/Prolaco.gen!C gathers e-mail addresses to send itself to from files on the affected machine with the following extensions: .doc .htm .pdf .chm .txt The worm avoids collecting e-mail addresses with the following strings:abuse accoun acd-group acdnet.com acdsystems.com acketst admin ahnlab alcatel-lucent.com anyone apache arin. avira berkeley bitdefender bluewin.ch borlan bpsoft.com buyrar.com

Page 2/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 certific cisco clamav contact debian drweb eset.com example f-secure feste firefox ghisler.com gold-certs honeynet honeypot ibm.com icrosof icrosoft idefense ikarus inpris isc.o isi.e jgsoft kaspersky kernel lavasoft linux listserv mcafee messagelabs mit.e mozilla mydomai nobody nodomai noone nothing novirusthanks ntivi nullsoft.org panda postmaster prevx privacy qualys quebecor.com rating redhat rfc-ed ruslis samba samples secur security sendmail service slashdot somebody someone

Page 3/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438

sopho sourceforge ssh.com submit sun.com support syman sysinternals tanford.e the.bat usenet utgers.ed virus virusbuster webmaster winamp wireshark www.ca.com

The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco.gen!C uses the following strings as a prefix to guess the mx record:

mx.%s mail.%s smtp.%s mx1.%s mxs.%s mail1.%s relay.%s ns.%s gate.%s E-mail messages are generated by the worm and sent to the collected e-mail addresses. Messages may be in the following or similar format: From: [email protected] Subject: You have received A Hallmark E-Card! Attachment postcard.exe (Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.) P2P File Sharing NetworksWin32/Prolaco.gen!C copies itself to the following shared folders of popular peer-to-peer file sharing applications: %ProgramFiles%icqshared folder %ProgramFiles%grokstermy grokster %ProgramFiles%emuleincoming %ProgramFiles%morpheusmy shared folder %ProgramFiles%limewireshared %ProgramFiles%eslafiles %ProgramFiles%winmxshared C:Downloads

The worm may create copies of itself in these folders with the following enticing filenames: Absolute Video Converter 6.2.exe Ad-aware 2009.exe Adobe Acrobat Reader keygen.exe Adobe Photoshop CS4 crack.exe Alcohol 120 v1.9.7.exe AnyDVD HD v.6.3.1.8 Beta incl crack.exe Avast 4.8 Professional.exe AVS video converter6.exe BitDefender AntiVirus 2009 Keygen.exe CheckPoint ZoneAlarm And AntiSpy.exe

Page 4/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438

CleanMyPC Registry Cleaner v6.02.exe Daemon Tools Pro 4.11.exe Divx Pro 6.8.0.19 + keymaker.exe Download Accelerator Plus v8.7.5.exe Download Boost 2.0.exe DVD Tools Nero 9 2 6 0.exe G-Force Platinum v3.7.5.exe Google Earth Pro 4.2. with Maps and crack.exe Grand Theft Auto IV (Offline Activation).exe Internet Download Manager V5.exe K-Lite codec pack 3.10 full.exe K-Lite codec pack 4.0 gold.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Magic Video Converter 8 0 2 18.exe Microsoft Office 2007 Home and Student keygen.exe Microsoft Visual Studio 2008 KeyGen.exe Microsoft.Windows 7 Beta1 Build 7000 x86.exe Motorola, nokia, ericsson mobil phone tools.exe Myspace theme collection.exe Nero 9 9.2.6.0 keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Opera 9.62 International.exe PDF password remover (works with all acrobat reader).exe Perfect keylogger family edition with crack.exe Power ISO v4.2 + keygen axxo.exe Smart Draw 2008 keygen.exe Sony Vegas Pro 8 0b Build 219.exe Sophos antivirus updater bypass.exe Super Utilities Pro 2009 11.0.exe Total Commander7 license+keygen.exe Tuneup Ultilities 2008.exe Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe VmWare keygen.exe Winamp.Pro.v6.53.PowerPack.Portable+installer.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Windows XP PRO Corp SP3 valid-key generator.exe Windows2008 keygen and activator.exe WinRAR v3.x keygen RaZoR.exe Youtube Music Downloader 1.0.exe Removable Drives Win32/Prolaco.gen!C copies itself to the following location on removable drives: RECYCLERS-1-6-21-2434476521-1645641927-702000330-1542 edmond.exe

It then creates 'Desktop.ini' so that the icon for removable drives appears as a folder icon when viewed in Windows Explorer. The worm creates 'Autorun.inf' which launches the worm copy when the removable drive is attached to a computer that has Autoplay enabled. In addition, the icon for the worm appears as a "closed folder" or file folder when viewed in Windows Explorer.

Web Servers If the worm infects a computer that is running IIS, it attempts to replace the legitimate Web root or Index file stored in the folder '%root%inetpubwwwrootindex.htm' with a page containing the following message:

Security warning! Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following

Page 5/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438

MS09-067 hotfix in order to be able to watch this website.

'MS09-067' is a hyperlink to a dropped copy of the worm, for example: '%root%inetpubwwwrootms09-067.exe'.

Payload

Lowers Security Settings Win32/Prolacto.gen!C makes the following changes to an infected system which results in lowered security settings: * Adds worm as an authorized application in the Windows firewall policy by modifying the registry: Sets value: "jucshed.exe" With data: "jucshed.exe:*:enabled:explorer" To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorized ApplicationsList

* Disbales update notifications and the auto-update feature for Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000001 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv Start = dword:00000004

Deletes Files Worm:Win32/Prolaco.gen!C searches for the installation directory of the file Mcshield.exe by looking at the following registry entry: HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngineszInstallDir If found, it deletes this file. This file may be related to McAfee security software.Additional InformationWin32/Prolaco.gen!C connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine. The worm may also query the following web sites to obtain further information:

gin.ntt.net whois.ripe.net whois.afrinic.net whois.v6nic.net whois.nic.or.kr whois.apnic.net whois.nic.ad.jp whois.arin.net whois.lacnic.net whois.nic.br whois.twnic.net rwhois.gin.ntt.net

Analysis by Elda Dimakiling

Last update 07 April 2009

Page 6/6