My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2P.Palevo.J

MEDIUM
LOW
~116 KB
(Rimecud, Boaxxe)

Symptoms

1. explorer.exe attempts to connect to several URLs

2. Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\sysdate.exe

3. Two new files are created on the root of removable drives: autorun.inf file and folder.tmp\tmp.exe

4. The following registry keys point to sysdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. New executables in the P2P share folders

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Horea Coroiu, virus researcher

Technical Description:

This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].net

Spreading
It has three propagation vectors: MSN messages, USB drives and P2P shares.
If an external drive X: is detected on the system, the file X:\autorun.inf is created which points to a copy of the malware at X:\folder.tmp\tmp.exe. When the disk is inserted on another computer the worm is executed automatically.
Another spreading mechanism is through P2P shares (Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire are supported).

Obfuscation
The malware breaks AV emulation with a series of obscure CPU instructions and then proceeds to decrypt its code on the stack. In order to complicate analysis it refuses to run if a debugger, a virtual machine or Sandboxie is detected.

Backdoor capabilities
Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for instructions:
butterfly.BigM[removed].biz:5907
butterfly.si[removed].es:5907
qwertasdfg.si[removed].es:5907
It has the capability to steal Firefox/IE passwords and to generate UDP/TCP SYN flood for Denial of Service attacks.

Behavior
1. Copies itself to "X:\RECYCLER\$RecyclerDir\sysdate.exe"
where X: is the drive of the Windows installation
and $RecyclerDir is a random name such as
S-1-5-21-3195918175-0516443723-305921711-2405

2. Creates "X:\RECYCLER\$RecyclerDir\Desktop.ini" with contents

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

so that the folder $RecyclerDir which contains the malware is open as "Recycle Bin" in Explorer.
The malware executable (sysdate.exe) doesn't show up in Recycle Bin.

3. Sets
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" to
"X:\RECYCLER\$RecylerDir\sysdate.exe"
Sets
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" to
explorer.exe, "X:\RECYCLER\$RecylerDir\sysdate.exe"
in order to run the malware at system boot

4. Injects itself in explorer.exe and the process with the smallest pid (System)
Creates the mutex i4__s__frgk665fx to ensure that the injected code doesn't run in multiple instances