Home / malware Worm:Win32/Prolaco.BC
First posted on 17 June 2010.
Source: SecurityHomeAliases :
Worm:Win32/Prolaco.BC is also known as Win32/Prolaco.worm.438272 (AhnLab), W32/Agent.IXG (Authentium (Command)), Worm.Win32.Agent.acb (Kaspersky), Worm.Agent.WNCD (VirusBuster), Trojan horse Dropper.Generic2.SMT (AVG), Win32.Generic.497710 (BitDefender), Generic.dx!syn (McAfee), Trj/Buzus.AH (Panda), Trojan.Win32.Generic.5208474B (Rising AV), Mal/CryptBox-A (Sophos), Worm.Win32.Prolaco.gen.c (Sunbelt Software), W32.Ackantta.B@mm (Symantec), Mal_Prolaco (Trend Micro).
Explanation :
Worm:Win32/Prolaco.BC is a detection for a variant of Win32/Prolaco, a worm that spreads via e-mail message attachments, removable drives and shared folders of Peer 2 Peer (P2P) applications. This worm also lowers security settings and downloads and installs Win32/Vundo.
Top
Worm:Win32/Prolaco.BC is a detection for a variant of Win32/Prolaco, a worm that spreads via e-mail message attachments, removable drives and shared folders of Peer 2 Peer (P2P) applications. This worm also lowers security settings and downloads and installs Win32/Vundo. Spreads via€¦Worm:Win32/Prolaco.BC may spread if certain P2P programs are installed on the system. The worm also checks the following file types, presumably in order to find email addresses, so that it may contact mail servers:.txt.htm.doc.xls.lst.nfo.log.xml Worm:Win32/Prolaco.BC copies itself to the following directories: c:\WINDOWS\system32\ C:\Program Files\Grokster\My Grokster\ C:\Program Files\ICQ\Shared Folder\ C:\Program Files\LimeWire\Shared\ C:\Program Files\Morpheus\My Shared Folder\ C:\Program Files\Tesla\Files\ C:\Program Files\WinMX\Shared\ C:\Program Files\eMule\Incoming\ The worm uses the following file names for its copies: Adobefy.exe Absolute Video Converter 6.2.exe Ad-aware 2010.exe Adobe Acrobat Reader keygen.exe Adobe Illustrator CS4 crack.exe Adobe Photoshop CS4 crack.exe Alcohol 120 v1.9.7.exe Anti-Porn v13.5.12.29.exe AnyDVD HD v.6.3.1.8 Beta incl crack.exe Ashampoo Snap 3.02.exe Avast 4.8 Professional.exe BitDefender AntiVirus 2010 Keygen.exe Blaze DVD Player Pro v6.52.exe CleanMyPC Registry Cleaner v6.02.exe Daemon Tools Pro 4.11.exe Divx Pro 7 + keymaker.exe Download Accelerator Plus v9.exe Download Boost 2.0.exe DVD Tools Nero 10.5.6.0.exe G-Force Platinum v3.7.5.exe Google SketchUp 7.1 Pro.exe Grand Theft Auto IV (Offline Activation).exe Image Size Reducer Pro v1.0.1.exe Internet Download Manager V5.exe Kaspersky AntiVirus 2010 crack.exe Kaspersky Internet Security 2010 keygen.exe K-Lite Mega Codec v5.5.1.exe K-Lite Mega Codec v5.6.1 Portable.exe LimeWire Pro v4.18.3.exe Magic Video Converter 8 0 2 18.exe McAfee Total Protection 2010.exe Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe Motorola, nokia, ericsson mobil phone tools.exe Mp3 Splitter and Joiner Pro v3.48.exe Myspace theme collection.exe Nero 9 9.2.6.0 keygen.exe Norton Anti-Virus 2010 Enterprise Crack.exe Norton Internet Security 2010 crack.exe PDF password remover (works with all acrobat reader).exe PDF to Word Converter 3.0.exe PDF Unlocker v2.0.3.exe PDF-XChange Pro.exe Power ISO v4.2 + keygen axxo.exe Rapidshare Auto Downloader 3.8.exe RapidShare Killer AIO 2010.exe Sophos antivirus updater bypass.exe Starcraft2 Crack.exe Starcraft2 keys.txt.exe Starcraft2 Oblivion DLL.exe Starcraft2 Patch v0.2.exe Starcraft2.exe Super Utilities Pro 2009 11.0.exe Total Commander7 license+keygen.exe Trojan Killer v2.9.4173.exe Tuneup Ultilities 2010.exe Twitter FriendAdder 2.1.1.exe VmWare 7.0 keygen.exe VmWare keygen.exe Winamp.Pro.v7.33.PowerPack.Portable+installer.exe Windows 2008 Enterprise Server VMWare Virtual Machine.exe Windows 7 Ultimate keygen.exe Windows XP PRO Corp SP3 valid-key generator.exe Windows2008 keygen and activator.exe WinRAR v3.x keygen RaZoR.exe Youtube Music Downloader 1.0.exe YouTubeGet 5.4.exe Worm:Win32/Prolaco.BC also drops the file lsass.exe, which is detected as Worm:Win32/Prolaco, to the following location:%APPDATA%\SystemProc\ Note: %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming. Payload Modifies system settingsWorm:Win32/Prolaco.BC makes the following registry modifications: Adds value: "UACDisableNotify"With data: 01, 00, 00, 00To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center Adds value: "EnableLUA"With data: 00, 00, 00, 00To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system Adds value: "Adobe Reader Updater v06"With data: C:\WINDOWS\system32\Adobefy.exeTo subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "C:\WINDOWS\system32\Adobefy.exe"With data: C:\WINDOWS\system32\Adobefy.exe:*:Enabled:ExplorerTo subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Analysis by Chris StubbsLast update 17 June 2010
