Home / malwarePDF  

Win32.Worm.Prolaco.S


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Prolaco.S.

Explanation :

Worm.Prolaco has multiple layers of encryption and packing of its code and there are 2 components.

First component:

It spreads in two ways:
1. Via e-mail, disguised as a greeting card. The e-mail contains a zip attachment that includes an executable file impersonating a .doc, .chm, .pdf, .jpg, .htm extension(example: "card.pdf .exe" ,"document.chm exe"). The exe extension is difficult for the user to note, especially when known file types are not displayed.
2. Via USB or removable drives ( creates an autorun.inf file that runs an exe file, currently identified as redmond.exe but it can vary in newer versions)
To guess the correct associated mail server the worm uses the following strings as prefix for the mx record: smtp.%s,mxs.%s,mx.%s,mx1.%s,ns.%s,mail1.%s,mail.%s,relay.%s,gate.%s.
Once the file contained in zip is opened, the malicious payload is executed.

The worm creates a hidden copy of itself in the system folder. Possible names for this copy:

[system folder]wmimngr.exe;
[system folder]jusched.exe;
[system folder]wfmngr.exe.

Also the malware creates multiples copies of itself in locations used for file sharing, where it passes as cracks or keygens for different programs. Example:
Microsoft Office 2007 Home and Student keygen.exe
Total Commander7 license+keygen.exe
LimeWire Pro v4.18.3.exe
Download Accelerator Plus v8.7.5.exe
Opera 9.62 International.exe
Internet Download Manager V5.exe
Myspace theme collection.exe

It drops the second component in the system folder. Possible names for this component are:
[system folder]wpmgr.exe;
[system folder]java01.exe;
[system folder]wupmgr.exe.

It changes some Windows Registry:

- to run its copy from the system folder at startup
subkey -> HKCUSoftwareMicrosoftWindowsCurrentVersionRun
value -> SunJavaUpdateSched01
data -> <%system folder%>copy_name

- to disable notifications when programs try to install software or make changes to the computer
subkey -> SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
value -> EnableLUA
data -> 0

- to disable notifications from Windows Security Center when User Acount Control is disable
subkey -> SOFTWARE\Microsoft\Security Center
value -> UACDisableNotify
data -> 1

- to add the copy from the system folder as an authorized application for firewall
subkey -> HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
value -> <%system folder%>copy_name
data -> <%system folder%>copy_name:*:Enabled:Explorerx00
[copy_name it is the hidden replica from system folder]

Second component:

The second component has two behaviours. It behaves like a keylogger, recording all keystrokes in a file called lsm.dll and located in the Windows folder and also like a backdoor.
It injects the malicious code in the iexplore.exe process without saving it on the disk.
Creates a hidden copy of itself in <%windows folder%>
vscpapisvr.exe.
It tries to connect to ci[removed]hop.net and starts receiving various commands from the host:
- to modify registries;
- to start or kill processes;
- to modify graphic settings(resolution,frequency);
- to access drives;

- to scan ports;
- to download/execute files to/from memory;
- to terminate antivirus processes (Avast, AVG, BitDefender, Kaspersky, Nod32, Norman, Panda etc);
- to steal passwords:
- Firefox passwords reading from signons2.txt or signons3.txt;
- internet explorer passwords
- IM account passwords : Yahoo, MSN, Miranda, Gadu-Gadu, Pidgin (by reading purpleaccounts.xml), Trilian;
- to steal cookies;
- to connect to ftp servers;
- to upload on ftp servers;
- to change service settings; [disable, enable etc]
- to monitor USB port for spreading;

It creates a local server listening on port 3360.
It creates a mutex: " MutantBaseNamedObjects206I435T " in this case.
It changes the Registry :
- to run its copy when windows starts
subkey -> HKCUSoftwareMicrosoftWindowsCurrentVersionRun
value -> Java micro kernel
data -> <%windows folder%>
vscpapisvr.exe
- to run its copy at user logon
subkey -> HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
value -> Java micro kernel
data -> <%windows folder%>
vscpapisvr.exe

This seccond component is a custom generated file:
- it contains a resource named 'CFG' where new settings are added:
- mutex name
- address to connect to ( ci[removes]hop.net was in this case )
- value name from Registry ( Java micro kernel in this case )
- log file name ( lsm.dll in this case )
- as it is injected directly in the memory space of iexplore.exe,it doesn't need to modify the code beyond that resource and can easily bypass the firewall.

Last update 21 November 2011

 

TOP