Home / malware Worm.P2P.Palevo.DP
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.P2P.Palevo.DP is also known as Backdoor.Win32.IRCBot.oyd, Worm:Win32/Pushbot.RK, P2P-Worm:W32/Palevo.CF.
Explanation :
Worm.P2P.Palevo.DP spreads via automatically IM spam. The message tricks the users into saving what seems to be a .JPG file, which is, in effect, an executable concealing the malicious payload – Worm.P2P.Palevo.DP. When the user tries to open the file, the malicious code is launched.
The worm creates four hidden files in the Windows folder:
[FilePath]infocard.exe
[FilePath]mds.sys
[FilePath]mdt.sys
[FilePath]winbrd.jpg
where [FilePath] can take one of the following values: %Windir%, %Public% or %ProgramFiles%, depending on whether it can write to the specific folder or not.
It then modifies some registry key to point to this files, in order to bypass the OS's firewall:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun [Firewall Administrating = "[FilePath]infocard.exe"]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun [Firewall Administrating = "[FilePath]infocard.exe"]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun [Firewall Administrating = "[FilePath]infocard.exe"]
The worm establishes a connection to an IRC server at "dbs[removed]s.com" or "e2[removed]o.com" on port 2345 and waits for commands. It can respond to any of the commands as shown below:
- "r.gf" - starts a thread that downloads a file and executes it.
- "r.gfstop" - stops the download-and-execute thread.
- "yah.msg" - sends Yahoo IM messages with an infected link
- "msn.msg" - sends both Yahoo and MSN IM messages with an infected link, example:
".msn.msg foto :D http://[removed]image.php?= ". The infected links point to multiple domains hosting the worm.
- "msn.stop" - stops the running message-sending threadLast update 21 November 2011
