Home / malwarePDF  

Worm:JS/Proslikefan.gen!D


First posted on 18 June 2013.
Source: Microsoft

Aliases :

Worm:JS/Proslikefan.gen!D is also known as JS/Proslikefan.A.3 (Avira), Troj/ObfJS-EF (Sophos).

Explanation :



Worm:JS/Proslikefan.gen!D is a polymorphic worm that can change your computer settings, block security-related processes and download files.

Installation

When run, this worm creates hidden folders with a random name in the following locations:

  • %ProgramFiles%
  • %APPDATA%
  • <startup folder>


It then drops a variant of itself, also with a random name, into the hidden folder. For example:

  • %ProgramFiles%\6f80\6e816.js
  • %APPDATA%\7088\669e.js
  • <startup folder>\34d.js


It creates the following registry entry to ensure that it runs each time you start your computer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Set value: "669e"
With data: "%APPDATA%\<random alphanumeric characters>\<random alphanumeric characters>.js"

Spreads via...

Removable drives and network shares

This worm tries to spread itself across all the drives on your computer, including removable drives and shared network drives.

It creates a file named "autorun.inf" in each folder. If this file is run from a computer that has AutoRun enabled, it automatically runs the worm copy.

File-sharing networks

This worm creates a randomly named .zip file that it copies to folders used by file-sharing programs, such as the following:

  • ares\my shared folder
  • bearshare\shared
  • edonkey2000\incoming
  • emule\incoming
  • grokster\my grokster
  • icq\shared folder
  • kazaa lite k++\my shared folder
  • kazaa lite\my shared folder
  • kazaa\my shared folder
  • limewire\shared
  • morpheus\my shared folder
  • My Documents\FrostWire\Shared
  • tesla\files
  • winmx\shared
Payload

Contacts a remote server

This worm tries to contact a remote command and control (C&C) server to download configuration files and updates. In the wild, we have observed it trying to connect to the following servers:

  • copertps.com
  • etpsoprc.ru
  • specrtop.org
  • 195.190.13.158


At the time of analysis, these remote servers were inaccessible.

Worm:JS/Proslikefan.gen!D gathers information about your computer, such as what version of Windows it is running and what type of processor it has, and sends the information back to a remote server. It then waits for further instructions.

Blocks security software

This threat prevents the following antimalware software from running:

  • Alwil Software
  • AVAST Software
  • AVG
  • Avira
  • ESET
  • F-Secure
  • Kaspersky Lab
  • Malwarebytes' Anti-Malware
  • McAfee
  • Microsoft Security Client
  • Microsoft Security Essentials
  • Panda Security
  • Spyware Doctor
  • Symantec
  • Trend Micro


Lowers computer security

Worm:JS/Proslikefan.gen!D changes your computer's security settings by turning off notifications for your antimalware software and firewall. It also changes your automatic update settings.

It does this by making the following registry entries:

In subkey: HKLM\Software\Microsoft\Security Center
Set values: "AntiVirusDisableNotify"
With data: "1"

In subkey: HKLM\Software\Microsoft\Security Center
Set values: "FirewallDisableNotify"
With data: "1"

In subkey: HKLM\Software\Microsoft\Security Center
Set values: "UpdatesDisableNotify"
With data: "1"

In subkey: HKLM\Software\Microsoft\Security Center
Set values: "AntiVirusOverride"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
Set values: "FirewallOverride"
With data: "1"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set values: "NoWindowsUpdate"
With data: "1"

In subkey: HKLM\SOFTWARE\Policies\Microsoft\MRT
Set values: "DontReportInfectionInformation"
With data: "1"

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Set values: "EnableFirewall"
With data: "0"

It turns off System Restore by making the following registry entries:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: "DisableConfig"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "SystemRestoreDisableSR"
With data: "1"

It disables Task Manager and Registry Editor by making the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Set value: "DisableTaskMgr"
With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Set value: "DisableRegistryTools"
With data: "1"

It disables the Windows Security Center service by making the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Sets value: "Start"
With data: "4"

Changes computer settings

The worm changes the way Windows Explorer shows hidden files by making the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"

It hides file extensions when you view files using Windows Explorer by making the following registry entry:

In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"

The worm stops you changing the Internet Explorer start page:

In subkey: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Sets value: "HomePage"
With data: "1"

It will analyze the file "autoexec.bat", and make modify the following registry entry:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "ParseAutoexec"
With data: "0"

The worm will stop running if it detects that your computer is running under a sandbox or virtual machine. It will remain on your computer.



Analysis by Wei Li

Last update 18 June 2013

 

TOP

Malware :

Family: