My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Prolaco.S

MEDIUM
MEDIUM
approx 45k

Symptoms

Unwanted e-mails sent to your friends disguised as greeting cards.

Presence of executable files with name of cracks or keygens of different programs.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

CristinaVatamanu, virus researcher

Technical Description:

Worm.Prolaco has multiple layers of encryption and packing of its code and there are  2 components.

First component:

    It spreads in two ways:
1. Via e-mail, disguised as a greeting card. The e-mail contains a zip attachment that includes an executable file impersonating a .doc, .chm, .pdf, .jpg, .htm extension(example: "card.pdf                                 .exe" ,"document.chm                     exe"). The exe extension is difficult for the user to note, especially when known file types are not displayed.
2. Via USB or removable drives ( creates an autorun.inf file that runs an exe file, currently identified as redmond.exe but it can vary in newer versions)
To guess the correct associated mail server the worm uses the following strings as prefix for the mx record: smtp.%s,mxs.%s,mx.%s,mx1.%s,ns.%s,mail1.%s,mail.%s,relay.%s,gate.%s.
Once the file contained in zip is opened, the malicious payload is executed.
    

    The worm  creates a hidden copy of itself in the system folder. Possible names for this copy:
       
        [system folder]\wmimngr.exe;
        [system folder]\jusched.exe;
        [system folder]\wfmngr.exe.
    
    Also the malware creates multiples copies of itself in locations used for file sharing, where it passes as cracks or keygens for different programs. Example:
        Microsoft Office 2007 Home and Student keygen.exe
        Total Commander7 license+keygen.exe
        LimeWire Pro v4.18.3.exe
        Download Accelerator Plus v8.7.5.exe
        Opera 9.62 International.exe
        Internet Download Manager V5.exe
        Myspace theme collection.exe
    
     It drops the second component in the system folder. Possible names for this component are:
        [system folder]\wpmgr.exe;
        [system folder]\java01.exe;
        [system folder]\wupmgr.exe.

    It changes some Windows Registry:

        - to run its copy from the system folder at startup
             subkey   -> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
            value -> SunJavaUpdateSched01
            data  -> <%system folder%>\copy_name

        - to disable notifications when programs try to install software or make changes to the computer
            subkey -> SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
            value  -> EnableLUA
            data   -> 0

        - to disable notifications from Windows Security Center when User Acount Control is disable
            subkey -> SOFTWARE\\Microsoft\\Security Center
            value  -> UACDisableNotify
            data   -> 1

        - to add the copy from the system folder as an authorized application for firewall
            subkey -> HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
             value  -> <%system folder%>\copy_name
            data   -> <%system folder%>copy_name:*:Enabled:Explorer\x00
        [copy_name it is the hidden replica from system folder]

Second component:

    The second component has two behaviours. It behaves like a keylogger, recording all keystrokes in a file called lsm.dll and located in the Windows folder and also like a backdoor.
It injects the malicious code in the iexplore.exe process without saving it on the disk.
Creates a hidden copy of itself in <%windows folder%>\nvscpapisvr.exe.
It tries to connect to ci[removed]hop.net and starts receiving various commands from the host:
    - to modify registries;
    - to start or kill processes;
    - to modify graphic settings(resolution,frequency);
    - to access drives;

    - to scan ports;
    - to download/execute files to/from memory;
    - to terminate antivirus processes (Avast, AVG, BitDefender, Kaspersky, Nod32, Norman,  Panda etc);
    - to steal passwords:
        - Firefox passwords reading from signons2.txt or signons3.txt;
        - internet explorer passwords
        - IM account passwords : Yahoo, MSN, Miranda, Gadu-Gadu, Pidgin (by reading purple\accounts.xml), Trilian;
    - to steal cookies;
    - to connect to ftp servers;
    - to upload on ftp servers;
    - to change service settings; [disable, enable etc]
    - to monitor USB port for spreading;

It creates a local server listening on port 3360.
It creates a mutex: " Mutant\BaseNamedObjects\206I435T  " in this case.
It changes the Registry :
    - to run its copy when windows starts
        subkey  -> HKCU\Software\Microsoft\Windows\CurrentVersion\Run
        value   -> Java micro kernel
        data    -> <%windows folder%>\nvscpapisvr.exe
    - to run its copy at user logon
        subkey  -> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
        value   -> Java micro kernel
        data    -> <%windows folder%>\nvscpapisvr.exe

This seccond component is a custom generated file:
    - it contains a  resource named 'CFG' where new settings are added:
        - mutex name
        - address to connect to ( ci[removes]hop.net was in this case )
        - value name from Registry ( Java micro kernel in this case )
        - log file name ( lsm.dll in this case )
    - as it is injected directly in the memory space of iexplore.exe,it doesn't need to modify the code beyond that resource and can easily bypass the firewall.