My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~116 KB
(Rimecud, Boaxxe)


1. explorer.exe attempts to connect to several URLs

2. Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\sysdate.exe

3. Two new files are created on the root of removable drives: autorun.inf file and folder.tmp\tmp.exe

4. The following registry keys point to sysdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. New executables in the P2P share folders

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Horea Coroiu, virus researcher

Technical Description:

This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].net

It has three propagation vectors: MSN messages, USB drives and P2P shares.
If an external drive X: is detected on the system, the file X:\autorun.inf is created which points to a copy of the malware at X:\folder.tmp\tmp.exe. When the disk is inserted on another computer the worm is executed automatically.
Another spreading mechanism is through P2P shares (Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire are supported).

The malware breaks AV emulation with a series of obscure CPU instructions and then proceeds to decrypt its code on the stack. In order to complicate analysis it refuses to run if a debugger, a virtual machine or Sandboxie is detected.

Backdoor capabilities
Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for instructions:
It has the capability to steal Firefox/IE passwords and to generate UDP/TCP SYN flood for Denial of Service attacks.

1. Copies itself to "X:\RECYCLER\$RecyclerDir\sysdate.exe"
where X: is the drive of the Windows installation
and $RecyclerDir is a random name such as

2. Creates "X:\RECYCLER\$RecyclerDir\Desktop.ini" with contents


so that the folder $RecyclerDir which contains the malware is open as "Recycle Bin" in Explorer.
The malware executable (sysdate.exe) doesn't show up in Recycle Bin.

3. Sets
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" to
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" to
explorer.exe, "X:\RECYCLER\$RecylerDir\sysdate.exe"
in order to run the malware at system boot

4. Injects itself in explorer.exe and the process with the smallest pid (System)
Creates the mutex i4__s__frgk665fx to ensure that the injected code doesn't run in multiple instances