Worm.P2P.Palevo.J( Rimecud, Boaxxe )
SYMPTOMS: 1. explorer.exe attempts to connect to several URLs2. Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\sysdate.exe 3. Two new files are created on the root of removable drives: autorun.inf file and folder.tmp\tmp.exe 4. The following registry keys point to sysdate.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 5. New executables in the P2P share folders TECHNICAL DESCRIPTION: This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].netSpreading It has three propagation vectors: MSN messages, USB drives and P2P shares. If an external drive X: is detected on the system, the file X:\autorun.inf is created which points to a copy of the malware at X:\folder.tmp\tmp.exe. When the disk is inserted on another computer the worm is executed automatically. Another spreading mechanism is through P2P shares (Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire are supported). Obfuscation The malware breaks AV emulation with a series of obscure CPU instructions and then proceeds to decrypt its code on the stack. In order to complicate analysis it refuses to run if a debugger, a virtual machine or Sandboxie is detected. Backdoor capabilities Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for instructions: butterfly.BigM[removed].biz:5907 butterfly.si[removed].es:5907 qwertasdfg.si[removed].es:5907 It has the capability to steal Firefox/IE passwords and to generate UDP/TCP SYN flood for Denial of Service attacks. Behavior 1. Copies itself to "X:\RECYCLER\$RecyclerDir\sysdate.exe" where X: is the drive of the Windows installation and $RecyclerDir is a random name such as S-1-5-21-3195918175-0516443723-305921711-2405 2. Creates "X:\RECYCLER\$RecyclerDir\Desktop.ini" with contents [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} so that the folder $RecyclerDir which contains the malware is open as "Recycle Bin" in Explorer. The malware executable (sysdate.exe) doesn't show up in Recycle Bin. 3. Sets "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman" to "X:\RECYCLER\$RecylerDir\sysdate.exe" Sets "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" to explorer.exe, "X:\RECYCLER\$RecylerDir\sysdate.exe" in order to run the malware at system boot 4. Injects itself in explorer.exe and the process with the smallest pid (System) Creates the mutex i4__s__frgk665fx to ensure that the injected code doesn't run in multiple instances Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Horea Coroiu, virus researcher |
