Home / malware Worm:Win32/Prolaco.K
First posted on 08 March 2010.
Source: SecurityHomeAliases :
Worm:Win32/Prolaco.K is also known as Win32/Merond.O (ESET), Worm.Prolaco.AS (VirusBuster).
Explanation :
Worm:Win32/Prolaco.K is a worm that attempts to spread via e-mail. It may arrive as an e-mail disguised as an electronic card (e-card). This worm lowers computer security settings and may install other malware such as Trojan:Win32/Dursg.C.
Top
Worm:Win32/Prolaco.K is a worm that attempts to spread via e-mail. It may arrive as an e-mail disguised as an electronic card (e-card). This worm lowers computer security settings and may install other malware such as Trojan:Win32/Dursg.C. InstallationThis worm may arrive on the affected system via a spoofed e-mail having a file attachment named "postcard.zip" or similar. The received e-mail message may be in the following or similar format: From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: postcard.zip Within the archive is an executable disguised as a data file, for example "document.doc" with a ".exe" file extension. In the wild, we have observed the worm to use the following extensions to mask itself:
.doc
.htm
.chm
.txt .jpg Upon execution, Worm:Win32/Prolaco.K drops a copy of the worm as the following: <system folder>\javant.exe The registry is modified to run the worm copy at each Windows start. Adds value: " SunJavaUpdate01 "
With data: "<system folder>\javant.exe€
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. Spreads Via€¦ E-mail Win32/Prolaco.K gathers e-mail addresses to send itself to from files on the affected machine with the following extensions:
.doc
.htm
.chm
.txt
The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco may use the following strings as a prefix to guess the mx record:
mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s
ns.%s
gate.%s E-mail messages are generated by the worm and sent to the collected e-mail addresses. Messages may be in the following or similar format: From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: postcard.zip (Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.) Payload Lowers Security Settings
Win32/Prolaco.K makes the following changes to an infected system which results in lowered security settings:Adds the worm as an authorized application in the Windows firewall policy by modifying the registry:
Sets value: "<system folder>\javant.exe"
With data: "<system folder>\javant.exe:*:enabled:explorer"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListDisables Windows Security Center notifications if User Account Control is disabled:
Sets value: €œUACDisableNotify"
With data: €œ1"
To subkey: HKLM\SOFTWARE\Microsoft\Security CenterModifies User Account Control policy to disable the "administrator in Admin Approval Mode" user type Installs other malwareWin32/Prolaco.K installs Trojan:Win32/Dursg.C as a file named "lsass.exe" or "jlite.exe". Trojan:Win32/Dursg.C is a trojan that installs components that redirect Web searches when a user enters certain key words as a search query in specific search Web sites. Additional InformationWin32/Prolaco.K connects to the Web site "whatismyip.com" to retrieve the IP address of the infected machine.
Sets value: €œEnableLUA"
With data: €œ0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Analysis by Wei LiLast update 08 March 2010
