- explorer.exe attempts to connect to several URLs
- Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\nissan.exe
- Two new files are created on the root of removable drives: autorun.inf file and TWINS\burebaruta.exe
- The following registry key points to nissan.exe
- New executables in the P2P share folders
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This is another worm from the Palevo familiy. It shares most of the capabilities with the rest of its kind. When executed, it will first inject it's decrypted body inside Explorer.exe; the original process will end, and further malicious actions will be executed inside explorer. The worm will create a named mutex, called aljsughu55, to avoid running multiple instances. A named pipe will also be created: iuuualj55. It will then create a randomly-named folder inside Recycler, eg: S-1-5-21-0839346990-6652710400-120536083-0614. Here it will create 2 files: desktop.ini, containing:
and a application: nissan.exe, which is actually a copy of the worm. When the newly created folder will be opened, the content of the Recycle Bin will be displayed instead.
o Ability to spread via different P2P clients: Ares, BearShare, Kazaa, DC++, eMule, LimeWire
o Ability to spread via infected USB drives; when an USB drive is plugged into an infected computer, the worm will create an autorun.inf file pointing to a copy of the worm, located inside TWINS\burebaruta.exe on the affected drive
o Backdoor ability - it will connect to various addresses belonging to Mariposa botnet, and it will wait for further instructions, like stealing Firefox passwords or initiating a TCP/UDP SYN flood attack.
o In order to be executed during startup, the following registry key will be added:
HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman, pointing to the infected file inside Recycler\S-1-5-21-0839346990-6652710400-120536083-0614\nissan.exe