My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2P.Palevo.AT

HIGH
MEDIUM
~180 kbytes
(Win32.HLLW.Lime.18; P2P-Worm.Win32.Palevo)

Symptoms

     - The following hidden file will be present on an infected system:
             c:\RECYCLER\[random_recycler_folder]\nissan.exe
   
     - And the next registry key pointing to nissan.exe:
             HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

     - explorer.exe attempts to connect at different sites as:
             sandra.pricha[removed].com
             pica.banjalucke-ljepot[removed].com
             l33t.brand-clo[removed].com
    
     - each time a removable drive is inserted the following files will be created on it:         
             autorun.inf file pointing to ZALJUBIT\dousiju.exe


Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

     When executed the worm will inject its code into explorer.exe and thus every worm's action will appear as being executed by Windows Explorer.
The injected code will then perform the following actions:
    
     - create a hidden copy of the worm under:
            c:\RECYCLER\[random_recycler_folder]\nissan.exe
( An example of : S-1-5-21-9844392106-7672706631-221574024-0507 )


     - modify the registry by adding the following key:
            HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
            Name: Taskman
            Value: c:\RECYCLER\
[random_recycler_folder]\nissan.exe
            This will execute the worm after every system reboot.

      - create a hidden file named desktop.ini in the same folder as nissan.exe which has the following contents:               
              [.ShellClassInfo]
              CLSID={645FF040-5081-101B-9F08-00AA002F954E}
              By making this modification, the folder containing nissan.exe will have the icon of RecycleBin, not the FolderIcon. Also, when opening this folder using Windows Explorer it will show the contents of RecycleBin and not the two files: nissan.exe and desktop.ini

Spreading methods:

     - via removable drives by creating a copy of itself under ZALJUBIT\dousiju.exe on every removable drive used and an autorun.inf file pointing to this copy          
     - via MSNMessenger
     - via P2P Shares as: BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire
        
     In order to avoid AV detection it comes encrypted, it stops emulation and it won't run if VMWare, Sandboxie or a debugger is detected.
     In has Microsoft Word version info and GIF file icon in order to mislead the user to execute it or if seen in TaskManager or ProcessExplorer.