Home / malware Worm:Win32/Perlovga.A
First posted on 07 May 2019.
Source: MicrosoftAliases :
Worm:Win32/Perlovga.A is also known as Worm.Win32.Perlovga.a, W32/Perlovga, TROJ_PERLOVGA.A.
Explanation :
Worm:Win32/Perlovga is a worm that spreads via logical and removable drives using the following package of three files: host.exe (detected as Worm:Win32/Perlovga.dr) copy.exe (detected as Worm:Win32/Perlovga.A) autorun.inf Note: These files are usually located in the system root folder (e.g. C:), and may be installed by a self extractable archive or dropped by other malware. InstallationWhen executed, Worm:Win32/Perlovga.A (copy.exe) creates copies of its files in the Windows directory as follows: copy.exe is copied to %windir%xcopy.exe host.exe is copied to %windir%svchost.exe autorun.inf is copied to %windir%autorun.inf Worm:Win32/Perlovga.A (copy.exe) then launches Worm:Win32/Perlovga.dr (%windir%svchost.exe) and exits. Worm:Win32/Perlovga.dr drops and executes the following two files: temp1.exe (detected as Worm:Win32/Perlovga.B) - used to copy the worm files to all accessible drives temp2.exe (detected as Backdoor:Win32/Small.PV) - a backdoor Trojan. When executed, Worm:Win32/Perlovga.B (temp1.exe) initially modifies the registry to ensure that the dropper component, Worm:Win32/Perlovga.dr, (%windir%svchost.exe) is executed at each Windows start:
Adds value: "load"
With data: "%windir%svchost.exe"
To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows Spreads Via… Logical and Removable DrivesIn order to spread, using the Worm:Win32/Perlovga.B component, the worm copies its package of files to the root of all located drives (apart from optical devices). The worm copies the following files at approximately 10 second intervals: Copies %windir%xcopy.exe to [drive letter]:copy.exe Copies %windir%svchost.exe to [drive letter]:host.exe Copies %windir%autorun.inf to [drive letter]:autorun.inf The autorun.inf file contains execution instructions for the operating system to launch 'copy.exe'. Payload Backdoor FunctionalityThe dropped file temp2.exe (detected as Backdoor:Win32/Small.PV) is a backdoor Trojan that initiates a remote connection and allows unauthorized access and control of the compromised machine. Additional InformationThe component detected as Worm:Win32/Perlovga.B - temp1.exe creates the mutex "OnlyOne" to ensure that multiple copies of the file do not run simultaneously.Last update 07 May 2019