Internet threat level: 1
Home→Descriptions→P2P-Worm.Win32.Palevo.arxz
P2P-Worm.Win32.Palevo.arxz
| Detected | Aug 03 2010 10:29 GMT |
| Released | Aug 04 2010 19:22 GMT |
| Published | Oct 26 2010 09:41 GMT |
Payload
Removal instructions
Technical Details
This malicious program provides a malicious user with remote access to the infected computer and uses P2P network file sharing directories to distribute itself. It is a Windows application (PE EXE file). It is 150 016 bytes in size. It is packed using an unknown packer. The unpacked file is approximately 89 KB in size. It is written in C++.
Installation
It creates a copy of its file in the following directory:
%AppData%\qvcxxb.exeIt ascribes "hidden" and "system" attributes to this file.
In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file in the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "%AppData%\qvcxxb.exe"
Payload
In order to simulate legitimacy, the worm's file contains dummy information about the file:
The worm locates a process corresponding to a window with the class "Progman" (this is how the malware finds the "explorer.exe" process) and injects its code into this process, then ceases running.
The malicious code injected into this process is installed and performs backdoor functionality. To do this, it connects to the remote hosts:
prcoli***nica.com krete***epotice.ru somb***osting.net 84.***.194 dz***tarts.comFollowing a command from the malicious user, the worm can perform the following actions:
- Download files to the infected computer and launch them for execution. The downloaded files are saved in the user's temporary folder under random names:
%Temp%\<rnd>.exe
where <rnd> is a random number. It can save the downloaded files under the names "Crack.exe" and "Keygen.exe" to P2P network file sharing directories located on the local machine. It can also save them in the following directory:%ALLUSERSPROFILE%\Local Settings\Application Data\Ares\My Shared Folder
It obtains the names of P2P network file sharing directories by analyzing the parameters of these system registry keys:[HKCU\Software\BearShare\General] [HKCU\Software\iMesh\General] [HKCU\Software\Shareaza\Shareaza\Downloads] [HKCU\Software\Kazaa\LocalContent] [HKCU\Software\DC++] [HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1]
- Change the content of the "hosts" file:
%System%\etc\hosts
This means that it can block access to the Internet resources visited by the user, or redirect the user to other resources. - Conduct a DoS attack on a server specified by the malicious user.
- Copy the worm's body to all write-accessible network and removable drives.
It also places the accompanying file shown below in the root of every disk:
<X>:\autorun.inf
where <X> is the letter of the network drive or removable disk. At the same time, it assigns "hidden" and "system" attributes to the copies of the worm.This file launches the executable file from the copy of the worm each time the user accesses the infected disk using Explorer.
- Send the names of the Internet resources and their passwords to the malicious user's address when the user uses the following browsers:
Mozilla Firefox Internet Explorer Opera
http://188.***.27/jebacina/418.exe
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original worm file (its location will depend on how the program originally penetrated the victim machine).
- Use Task Manager to terminate the process:
explorer.exe
- Delete the following file:
%AppData%\qvcxxb.exe
If the worm has managed to download its updated version, then the following file has to be removed using the mask below:%AppData%\<rnd2>.exe
where <rnd2> is a random set of letters. - Delete the files from the current Windows user's temporary folder using the following mask:
%Temp%\<rnd>.exe
where <rnd> is a random number. - Delete the following system registry key parameter:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" =
- If necessary, restore the contents of the file:
%System%\etc\hosts
to the following:127.0.0.1 localhost
- Empty the Temporary Internet Files directory:
%Temporary Internet Files%
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
md5: 0F3327C00A7590802BEAB3C47F142CAE
sha1: 2CC16551C6045A6CE335B4C5182C12A0B67CEC4B
P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster, EDonkey, FastTrack, Gnutella, etc.).
Most of these worms work in a relative simple way: in order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory, which is usually on a local machine. The P2P network does the rest: when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer.
There are also more complex P2P-Worms that imitate the network protocol of a specific file sharing system and responds positively to search queries; a copy of the P2P-Worm is offered as a match.
P2P-Worm.
- Trojan:
W32/Rimecud. gen. e (McAfee) - Mal/Palevo-A (Sophos)
- Generic Trojan (Panda)
- Trojan:
Win32/Rimecud. A (MS(OneCare)) - Trojan.
Packed. 20312 (DrWeb) - Win32/Kryptik.
FRV trojan (Nod32) - Gen:
Variant. Kazy. 200 (BitDef7) - Worm.
Palevo. Gen!Pac. 7 (VirusBuster) - Win32:
MalOb-DW [Cryp] (AVAST) - P2P-Worm.
Win32. Palevo (Ikarus) - W32.
Pilleuz!gen8 (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Trojan-Dropper:
W32/Agent. DQKK [FSE] (FSecure) - Mal_Palevo5 (TrendMicro)
- Worm.
Palevo. Gen!Pac. 7 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.