Home / malware Win32.Prestige.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Prestige.A@mm is also known as W32/Duksten.h@MM, (McAfee.
Explanation :
This mass-mailing worm was written in assembly language. It arrives attached to an email message looking like this :
From: "Fotos_PresTiGe" freeserver@nautilus.org
Subject: fotos INEDITAS del PRESTIGE en el fondo del Atlantico!
Attachement: Prestig.zip
When the worm receives control (executed by the user) it displays the following "error" message :
In fact, it copies the original regedit.exe to m_regedit.exe and then copies itself as regedit.exe. It even fetches the ICON resource from the original regedit.exe. Then the worm copies itself to the Windows System directory as "prestige.exe" and registers itself to be loaded on every system startup. The worm opens the Internet Account Manager registry key and gets from there mail informations about the current user. Using these informations and it's own SMTP engine, the worm encodes itself in BASE64, then compresses itself as ZIP file, sendind this ZIP file to the recipients stored in user's address book.
The worm uses anti-debugging code (IsDebuggerPresent API) and if debugged it exits withound sending the mails.
The worm contains the following text strings :
PresTiGe bY XRF GrP,Diciembre2002 XRF code HiStorY 1990-2002 (Virus FaseII Virus3 TestIV TheHanGeD AuTumM92 ScaNner _1993_ ScaMer ScaMNer ModUlaR VRandom VRamExE VRaPExE W32_1st GxSMTP Anti29A ReWind HooKeY VHooKeY XPector UXPector WKaPExE dfendEr & WKaPCOM )Last update 21 November 2011