Home / malware Worm.P2P.Palevo.J
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.P2P.Palevo.J is also known as Rimecud, Boaxxe.
Explanation :
This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].net
Spreading
It has three propagation vectors: MSN messages, USB drives and P2P shares.
If an external drive X: is detected on the system, the file X:autorun.inf is created which points to a copy of the malware at X:folder.tmp mp.exe. When the disk is inserted on another computer the worm is executed automatically.
Another spreading mechanism is through P2P shares (Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire are supported).
Obfuscation
The malware breaks AV emulation with a series of obscure CPU instructions and then proceeds to decrypt its code on the stack. In order to complicate analysis it refuses to run if a debugger, a virtual machine or Sandboxie is detected.
Backdoor capabilities
Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for instructions:
butterfly.BigM[removed].biz:5907
butterfly.si[removed].es:5907
qwertasdfg.si[removed].es:5907
It has the capability to steal Firefox/IE passwords and to generate UDP/TCP SYN flood for Denial of Service attacks.
Behavior
1. Copies itself to "X:RECYCLER$RecyclerDirsysdate.exe"
where X: is the drive of the Windows installation
and $RecyclerDir is a random name such as
S-1-5-21-3195918175-0516443723-305921711-2405
2. Creates "X:RECYCLER$RecyclerDirDesktop.ini" with contents
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
so that the folder $RecyclerDir which contains the malware is open as "Recycle Bin" in Explorer.
The malware executable (sysdate.exe) doesn't show up in Recycle Bin.
3. Sets
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonTaskman" to
"X:RECYCLER$RecylerDirsysdate.exe"
Sets
"HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell" to
explorer.exe, "X:RECYCLER$RecylerDirsysdate.exe"
in order to run the malware at system boot
4. Injects itself in explorer.exe and the process with the smallest pid (System)
Creates the mutex i4__s__frgk665fx to ensure that the injected code doesn't run in multiple instancesLast update 21 November 2011