My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2P.Palevo.BS

LOW
LOW
217600

Symptoms

- explorer.exe attempts to connect to several URLs

- Presence of the hidden file c:\Recycler\S-1-5-21-[random digits]\nissan.exe

- Two new files are created on the root of removable drives: autorun.inf file and TWINS\burebaruta.exe
- The following registry key points to nissan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
- New executables in the P2P share folders

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This is another worm from the Palevo familiy. It shares most of the capabilities with the rest of its kind. When executed, it will first inject it's decrypted body inside Explorer.exe; the original process will end, and further malicious actions will be executed inside explorer. The worm will create a named mutex, called aljsughu55, to avoid running multiple instances. A named pipe will also be created: iuuualj55. It will then create a randomly-named folder inside Recycler, eg: S-1-5-21-0839346990-6652710400-120536083-0614. Here it will create 2 files: desktop.ini, containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
and a application: nissan.exe, which is actually a copy of the worm. When the newly created folder will be opened, the content of the Recycle Bin will be displayed instead.
o Ability to spread via different P2P clients: Ares, BearShare, Kazaa, DC++, eMule, LimeWire
o Ability to spread via infected USB drives; when an USB drive is plugged into an infected computer,   the worm will create an autorun.inf file pointing to a copy of the worm, located inside TWINS\burebaruta.exe   on the affected drive
o Backdoor ability - it will connect to various addresses belonging to Mariposa botnet, and it will wait for further   instructions, like stealing Firefox passwords or initiating a TCP/UDP SYN flood attack.
o In order to be executed during startup, the following registry key will be added:
HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman, pointing to the infected file inside Recycler\S-1-5-21-0839346990-6652710400-120536083-0614\nissan.exe