My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


approx 100 kb
(Backdoor.Win32.IRCBot.oyd, Worm:Win32/Pushbot.RK, P2P-Worm:W32/Palevo.CF)


Unwanted messages sent to friends via IM clients containing a link to a photo.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Bogdan TImofte, virus researcher Alexandru Maximciuc, virus researcher

Technical Description:

Worm.P2P.Palevo.DP spreads via automatically IM spam. The message tricks the users into saving what seems to be a .JPG file, which is, in effect, an executable concealing the malicious payload  – Worm.P2P.Palevo.DP. When the user tries to open the file, the malicious code is launched.

The worm creates four hidden files in the Windows folder:


where [FilePath] can take one of the following values: %Windir%, %Public% or %ProgramFiles%, depending on whether it can write to the specific folder or not.

It then modifies some registry key to point to this files, in order to bypass the OS's firewall:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "[FilePath]\infocard.exe"]

The worm establishes a connection to an IRC server at "dbs[removed]" or "e2[removed]" on port 2345 and waits for commands. It can respond to any of the commands as shown below:  

- "" - starts a thread that downloads a file and executes it.

- "r.gfstop" - stops the download-and-execute thread.

- "yah.msg" - sends Yahoo IM messages with an infected link

- "msn.msg" - sends both Yahoo and MSN IM messages with an infected link, example: 

".msn.msg foto :D http://[removed]image.php?= ". The infected links point to multiple domains hosting the worm.

- "msn.stop" - stops the running message-sending thread