1. explorer.exe attempts to connect to several URLs
2. Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\sysdate.exe
3. Two new files are created on the root of removable drives: autorun.inf file and folder.tmp\tmp.exe
4. The following registry keys point to sysdate.exe
5. New executables in the P2P share folders
Please let BitDefender disinfect your files.
Horea Coroiu, virus researcher
This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].net
It has three propagation vectors: MSN messages, USB drives and P2P shares.
If an external drive X: is detected on the system, the file X:\autorun.inf is created which points to a copy of the malware at X:\folder.tmp\tmp.exe. When the disk is inserted on another computer the worm is executed automatically.
Another spreading mechanism is through P2P shares (Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire are supported).
The malware breaks AV emulation with a series of obscure CPU instructions and then proceeds to decrypt its code on the stack. In order to complicate analysis it refuses to run if a debugger, a virtual machine or Sandboxie is detected.
Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for instructions:
It has the capability to steal Firefox/IE passwords and to generate UDP/TCP SYN flood for Denial of Service attacks.
1. Copies itself to "X:\RECYCLER\$RecyclerDir\sysdate.exe"
where X: is the drive of the Windows installation
and $RecyclerDir is a random name such as
2. Creates "X:\RECYCLER\$RecyclerDir\Desktop.ini" with contents
so that the folder $RecyclerDir which contains the malware is open as "Recycle Bin" in Explorer.
The malware executable (sysdate.exe) doesn't show up in Recycle Bin.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" to
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" to
in order to run the malware at system boot
4. Injects itself in explorer.exe and the process with the smallest pid (System)
Creates the mutex i4__s__frgk665fx to ensure that the injected code doesn't run in multiple instances