My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2p.Palevo.B

MEDIUM
LOW
~110KB
(Rimecud.B, HLLW.Lime, Peerfrag, Pilleuz)

Symptoms

Computer connects to several URLs:
    bfisback.[REMOVED].org
    butterfly.[REMOVED].es
    qwertasdfg.[REMOVED].es
The connections originate from "explorer.exe".
"explorer.exe" accepts UDP connections.
Presence of the hidden "sysdate.exe" in folder "%systemdrive%\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx" where x-es are random digits.
References to this executable file in one of the folowing registry keys:
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman"
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
Presence of the infected file in P2P programs share folders.

Infected USB storage mediums present the following autorun.inf file in the root folder, as well as the file "ReCYCleR\sEtup32.exe".
[AuToRuN]
UsEAUtOpLaY=1
ShElL\OpEn=Open
SHELL\OpEn\CoMmAnD=ReCYCleR\sEtup32.exe
OPEN=ReCYCleR\sEtup32.exe

Removal instructions:

Please let BitDefender disinfect your files.

 

Analyzed By

Mihai Stoicoi, virus researcher

Technical Description:

Spreading methods:
Supports P2P: Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule, LimeWire.
Supports MSN Messenger as vector.
Supports infecting USB Media.

 

Has Mozilla and IE password harvesting capability.

Has TCP/UDP flooding capabilities.

Has Backdoor capability.


The infected exe installs itself on the system by copying itsesf in the Rcycler folder and adds itself in the registry to be active at startup, then it decrypts code on the stack and injects it in "explorer.exe". This injected component is the payload.

explorer.exe holds mutex: i4__s__frgk665fn.