Home / malware

PDF

Worm.P2P.Palevo.BS

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Worm.P2P.Palevo.BS.

Explanation :

This is another worm from the Palevo familiy. It shares most of the capabilities with the rest of its kind. When executed, it will first inject it's decrypted body inside Explorer.exe; the original process will end, and further malicious actions will be executed inside explorer. The worm will create a named mutex, called aljsughu55, to avoid running multiple instances. A named pipe will also be created: iuuualj55. It will then create a randomly-named folder inside Recycler, eg: S-1-5-21-0839346990-6652710400-120536083-0614. Here it will create 2 files: desktop.ini, containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
and a application: nissan.exe, which is actually a copy of the worm. When the newly created folder will be opened, the content of the Recycle Bin will be displayed instead.
o Ability to spread via different P2P clients: Ares, BearShare, Kazaa, DC++, eMule, LimeWire
o Ability to spread via infected USB drives; when an USB drive is plugged into an infected computer, the worm will create an autorun.inf file pointing to a copy of the worm, located inside TWINSurebaruta.exe on the affected drive
o Backdoor ability - it will connect to various addresses belonging to Mariposa botnet, and it will wait for further instructions, like stealing Firefox passwords or initiating a TCP/UDP SYN flood attack.
o In order to be executed during startup, the following registry key will be added:
HKEY_LOCAL_MACHINEMicrosoftWindows NTCurrentVersionWinlogonTaskman, pointing to the infected file inside RecyclerS-1-5-21-0839346990-6652710400-120536083-0614
issan.exe

Last update 21 November 2011

 

TOP