Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 Worm:Win32/Prolaco.gen!C Article URL malware.php?mal_id=101659340549db6cc479b3e0.45108438 Author SecurityHome.eu Published: 07 April 2009 Aliases : Worm:Win32/Prolaco.gen!C is also known as Also Known As:Trojan.Win32.Buzus.apot (Kaspersky), W32/Buzus.LGC (Norman), W32/Autorun-ABH (Sophos), Win32/Merond.G (ESET), Win32/Fruspam.S (CA), IRC/Flood.dr (McAfee), W32.Ackantta.B@mm (Symantec) . Explanation : Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Symptoms System ChangesThe following system changes may indicate the presence of this malware: * The presence of the following files: <system folder>jucshed.exe <system folder>javase11.exe <system folder><random>.dll * The presence of the following registry modifications: Adds value: "Sun Java Updater v7.11" With data: "<system folder>jucshed.exe" To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Sets value: "<system folder>jucshed.exe" With data: "<system folder>jucshed.exe:*:enabled:explorer" To subkey: Page 1/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorized ApplicationsList Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files. Installation Worm:Win32/Prolaco.gen!C creates the following files upon execution: * <system folder>jucshed.exe --> a copy of the worm * <system folder>javase11.exe --> detected as Trojan:Win32/Vundo.KO * <system folder><random>.dll --> detected as Trojan:Win32/Vundo.gen!AJ It modifies the registry to execute its copy at each Windows start: Adds value: "Sun Java Updater v7.11" With data: "<system folder>jucshed.exe" To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.Spreads Via… E-mail Win32/Prolaco.gen!C gathers e-mail addresses to send itself to from files on the affected machine with the following extensions: .doc .htm .pdf .chm .txt The worm avoids collecting e-mail addresses with the following strings:abuse accoun acd-group acdnet.com acdsystems.com acketst admin ahnlab alcatel-lucent.com anyone apache arin. avira berkeley bitdefender bluewin.ch borlan bpsoft.com buyrar.com Page 2/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 certific cisco clamav contact debian drweb eset.com example f-secure feste firefox ghisler.com gold-certs honeynet honeypot ibm.com icrosof icrosoft idefense ikarus inpris isc.o isi.e jgsoft kaspersky kernel lavasoft linux listserv mcafee messagelabs mit.e mozilla mydomai nobody nodomai noone nothing novirusthanks ntivi nullsoft.org panda postmaster prevx privacy qualys quebecor.com rating redhat rfc-ed ruslis samba samples secur security sendmail service slashdot somebody someone Page 3/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 sopho sourceforge ssh.com submit sun.com support syman sysinternals tanford.e the.bat usenet utgers.ed virus virusbuster webmaster winamp wireshark www.ca.com The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco.gen!C uses the following strings as a prefix to guess the mx record: mx.%s mail.%s smtp.%s mx1.%s mxs.%s mail1.%s relay.%s ns.%s gate.%s E-mail messages are generated by the worm and sent to the collected e-mail addresses. Messages may be in the following or similar format: From: [email protected] Subject: You have received A Hallmark E-Card! Attachment postcard.exe (Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.) P2P File Sharing NetworksWin32/Prolaco.gen!C copies itself to the following shared folders of popular peer-to-peer file sharing applications: %ProgramFiles%icqshared folder %ProgramFiles%grokstermy grokster %ProgramFiles%emuleincoming %ProgramFiles%morpheusmy shared folder %ProgramFiles%limewireshared %ProgramFiles%eslafiles %ProgramFiles%winmxshared C:Downloads The worm may create copies of itself in these folders with the following enticing filenames: Absolute Video Converter 6.2.exe Ad-aware 2009.exe Adobe Acrobat Reader keygen.exe Adobe Photoshop CS4 crack.exe Alcohol 120 v1.9.7.exe AnyDVD HD v.6.3.1.8 Beta incl crack.exe Avast 4.8 Professional.exe AVS video converter6.exe BitDefender AntiVirus 2009 Keygen.exe CheckPoint ZoneAlarm And AntiSpy.exe Page 4/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 CleanMyPC Registry Cleaner v6.02.exe Daemon Tools Pro 4.11.exe Divx Pro 6.8.0.19 + keymaker.exe Download Accelerator Plus v8.7.5.exe Download Boost 2.0.exe DVD Tools Nero 9 2 6 0.exe G-Force Platinum v3.7.5.exe Google Earth Pro 4.2. with Maps and crack.exe Grand Theft Auto IV (Offline Activation).exe Internet Download Manager V5.exe K-Lite codec pack 3.10 full.exe K-Lite codec pack 4.0 gold.exe Kaspersky Internet Security 2009 keygen.exe LimeWire Pro v4.18.3.exe Magic Video Converter 8 0 2 18.exe Microsoft Office 2007 Home and Student keygen.exe Microsoft Visual Studio 2008 KeyGen.exe Microsoft.Windows 7 Beta1 Build 7000 x86.exe Motorola, nokia, ericsson mobil phone tools.exe Myspace theme collection.exe Nero 9 9.2.6.0 keygen.exe Norton Anti-Virus 2009 Enterprise Crack.exe Opera 9.62 International.exe PDF password remover (works with all acrobat reader).exe Perfect keylogger family edition with crack.exe Power ISO v4.2 + keygen axxo.exe Smart Draw 2008 keygen.exe Sony Vegas Pro 8 0b Build 219.exe Sophos antivirus updater bypass.exe Super Utilities Pro 2009 11.0.exe Total Commander7 license+keygen.exe Tuneup Ultilities 2008.exe Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe VmWare keygen.exe Winamp.Pro.v6.53.PowerPack.Portable+installer.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Windows XP PRO Corp SP3 valid-key generator.exe Windows2008 keygen and activator.exe WinRAR v3.x keygen RaZoR.exe Youtube Music Downloader 1.0.exe Removable Drives Win32/Prolaco.gen!C copies itself to the following location on removable drives: <drive:>RECYCLERS-1-6-21-2434476521-1645641927-702000330-1542 edmond.exe It then creates '<drive:>Desktop.ini' so that the icon for removable drives appears as a folder icon when viewed in Windows Explorer. The worm creates '<drive:>Autorun.inf' which launches the worm copy when the removable drive is attached to a computer that has Autoplay enabled. In addition, the icon for the worm appears as a "closed folder" or file folder when viewed in Windows Explorer. Web Servers If the worm infects a computer that is running IIS, it attempts to replace the legitimate Web root or Index file stored in the folder '%root%inetpubwwwrootindex.htm' with a page containing the following message: Security warning! Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following Page 5/6 Worm:Win32/Prolaco.gen!C http://www.securityhome.eu/malware/malware.php?mal_id=101659340549db6cc479b3e0.45108438 MS09-067 hotfix in order to be able to watch this website. 'MS09-067' is a hyperlink to a dropped copy of the worm, for example: '%root%inetpubwwwrootms09-067.exe'. Payload Lowers Security Settings Win32/Prolacto.gen!C makes the following changes to an infected system which results in lowered security settings: * Adds worm as an authorized application in the Windows firewall policy by modifying the registry: Sets value: "<system folder>jucshed.exe" With data: "<system folder>jucshed.exe:*:enabled:explorer" To subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorized ApplicationsList * Disbales update notifications and the auto-update feature for Windows: HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center UpdatesDisableNotify dword:00000001 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv Start = dword:00000004 Deletes Files Worm:Win32/Prolaco.gen!C searches for the installation directory of the file Mcshield.exe by looking at the following registry entry: HKEY_LOCAL_MACHINESOFTWAREMcAfeeAVEngineszInstallDir If found, it deletes this file. This file may be related to McAfee security software.Additional InformationWin32/Prolaco.gen!C connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine. The worm may also query the following web sites to obtain further information: gin.ntt.net whois.ripe.net whois.afrinic.net whois.v6nic.net whois.nic.or.kr whois.apnic.net whois.nic.ad.jp whois.arin.net whois.lacnic.net whois.nic.br whois.twnic.net rwhois.gin.ntt.net Analysis by Elda Dimakiling Last update 07 April 2009 Page 6/6.