Internet threat level: 1
Home→Descriptions→P2P-Worm.Win32.Palevo.bpji
P2P-Worm.Win32.Palevo.bpji
| Detected | Jan 24 2011 15:28 GMT |
| Released | Jan 24 2011 23:05 GMT |
| Published | Mar 24 2011 13:02 GMT |
Payload
Removal instructions
Technical Details
This worm provides a malicious user with remote access to an infected machine. It is a Windows application (PE EXE file). It is 133 120 bytes in size. It is written in C++.
Installation
The worm copies its body to the file:
C:\Recycler\S-1-5-21-4714072883-7050866809-469064273-3308\ nissan.exeThe following file is also created in this directory:
C:\Recycler\S-1-5-21-4714072883-7050866809-469064273-3308\ Desktop.inicontaining the following string:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
Hidden and system attributes are assigned to the files that are created.
To ensure that the copy of the worm is launched automatically each time the system is rebooted, the following system registry key is created:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "C:\Recycler\S-1-5-21-4714072883-7050866809-4 69064273-3308\nissan.exe"In an individual stream, the worm blocks references to the copy, preventing its deletion. It also monitors the presence of the autorun key created in the system registry. If the key is missing, it will be restored.
Propagation
The worm copies its body to all write-accessible removable disks connected to the infected computer:
<name of infected partition>:\less.exeAlong with the copy of itself, the worm places the following file in the root directory of the infected disk:
<name of infected partition>:\autorun.inf with the following content: [autorun] ]]]]]]]]]]]]] ;nothing lasts foreva shellexecute=.\\\\name\\\\\\\\\\\\less.exe ;L icon=%SystemRoot%\system32\SHELL32.dll,4 ;A action=Open folder to view files ;M shell\open\command=name\\\\\\\\\\\\less.exe ;E shell\explore\command=name\\\\\\\\\\\\less.exe UseAutoPlay=1This file enables the worm to launch itself each time the user accesses the infected partition using Explorer.
Hidden and system attributes are assigned to the files that are created. The worm creates copies of itself in P2P file sharing directories. The worm obtains the paths to these directories by analyzing the parameters of these system registry keys:
[HKCU\Software\BearShare\General] [HKCU\Software\iMesh\General] [HKCU\Software\Shareaza\Shareaza\Downloads] [HKCU\Software\Kazaa\LocalContent] [HKCU\Software\DC++] [HKCU\Software\eMule] [HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\ eMule Plus_is]A copy is also placed in this directory:
%ALLUSERSPROFILE%\Local Settings\Application Data\Ares\ My Shared FolderIn addition, the worm utilizes its ability to send links for downloading its original file through MSN Messenger.
Payload
The worm's entire payload is executed through a code that is injected into the address space of the process "EXPLORER.EXE". The payload is not executed if any one of the following conditions is fulfilled:
- The following branch is missing from the system registry:
[HKCU\Keyboard Layout\Preload]
- The current user's account name is:
USERNAME user COMPUTERNAME CurrentUser
- The following libraries are loaded in the worm's address space:
SbieDll.dll dbghelp.dll
- The worm's original file was saved in the system as:
c:\file.exe
After injecting the malicious code through the process "EXPLORER.EXE", the following actions are performed:
- To ensure that the process is unique within the system, a unique identifier is created, which is named:
aljsughu55
- To provide access to the infected system, the following named pipe is created:
\\.\pipe\iuuualj55
- A connection is established to the malicious user's server:
sol***rkovic.com
It uses UDP protocol, port 7999. Following a command by the malicious user, the worm can perform the following actions on the infected computer:- Organize a DoS attack on specified servers.
- Download files from links sent to it. The downloaded files are saved in the current user's temporary files directory "%Temp%" using random names.
- Download updated version of the worm from the malicious user's server.
- Analyze files of settings for these browsers:
Mozilla Firefox Internet Explorer Opera
for the purpose of stealing passwords saved in them. - Steal and modify browser cookies. To do this, the worm uses the "sqlite" module built into the browser Mozilla Firefox.
- The actions described in the "Installation" and "Propagation" sections.
Scan stopped Scan running Scan started KB data sent: <number> SYN packets sent: <number> Flood running flood stopped: <string> flooding: <string> Drive infected: <string> USB spreader running P2P Copy to: <string> MSN spreader running MSN spread started, link: <string> MSN link sent
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Use Task Manager to terminate the process "EXPLORER.EXE".
- Launch the system registry editor "REGEDIT.EXE". To do this, in Task Manager open the tab "File\New Task (Run...)" and enter the command "regedit".
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "C:\Recycler\S-1-5-21-4714072883-7050866809- 469064273-3308\nissan.exe"
- Terminate the process "EXPLORER.EXE". To do this, in Task Manager open the tab "File\New Task (Run...)" and enter the command "explorer".
- Delete the following files:
C:\Recycler\S-1-5-21-4714072883-7050866809- 469064273-3308\nissan.exe C:\Recycler\S-1-5-21-4714072883-7050866809- 469064273-3308\Desktop.ini <name of infected partition>:\less.exe <name of infected partition>:\autorun.inf
- Delete the original worm file (its location will depend on how the program originally penetrated the infected computer).
- Delete the files downloaded by the worm from the "%Temp%" directory.
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
P2P Worms spread via peer-to-peer file sharing networks (such as Kazaa, Grokster, EDonkey, FastTrack, Gnutella, etc.).
Most of these worms work in a relative simple way: in order to get onto a P2P network, all the worm has to do is copy itself to the file sharing directory, which is usually on a local machine. The P2P network does the rest: when a file search is conducted, it informs remote users of the file and provides services making it possible to download the file from the infected computer.
There are also more complex P2P-Worms that imitate the network protocol of a specific file sharing system and responds positively to search queries; a copy of the P2P-Worm is offered as a match.
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.