Home / malware Worm.P2P.Palevo.FP
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.P2P.Palevo.FP is also known as Worm.Win32.Pushbot, W32.Yimfoca.
Explanation :
The Trojan spreads by spamming instant messages to contacts.
The malicious application copies itself in the operating system's folder with the name "jusched.exe", which is similar to a known programming language file. In order to start itself each time the operating systems runs the following registry values are added :
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun with "Java developer Script Browse" which contains the path of the Trojan "%Windir%jusched.exe"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun : "Java developer Script Browse" with the value "%Windir%jusched.exe"HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun : "Java developer Script Browse" with the value "%Windir%jusched.exe"
It adds itself as an authorized application for the system's firewall by adding a value into the following keyHKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList .
It stops the Windows Automatic Updates Service, preventing the user from getting the necessary updates, including the ones that ensure the security of the system. It also tries to stop msmpsvc.exe which belongs to Microsoft Malware Protection Service.
It has the ability to send messages to contacts on the following instant messaging applications : Skype, Yahoo Messenger, AIM (AOL Instant Messenger).Last update 21 November 2011