arrow_back
search
close

WORM_PALEVO.RE

April 02, 2015
 ALIASES:

VirTool:Win32/CeeInject.gen!GC (Microsoft)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Via physical/removable drives, Propagates via network shares

This worm arrives via removable drives. It arrives by accessing affected shared networks. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

136,192 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

20 Mar 2015

Payload:

Connects to URLs/IPs, Terminates processes, Drops files

Arrival Details

This worm arrives via removable drives.

It arrives by accessing affected shared networks.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • {install directory}\wmpkv32.exe

It checks if it is installed or dropped in the following folder:

  • {install directory}

It creates the following folders:

  • {install directory}

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • V8x
  • muipcdraotse
  • rbulnanbilnag

It stays memory-resident by injecting codes into the following processes:

  • explorer.exe

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

{registry base key}\Software\Microsoft\
Windows\CurrentVersion\Run
WinMedia Server = {install directory}\wmpkv32.exe

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers

It adds the following registry entries:

{registry base key}\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
{install directory}\wmpkv32.exe = DisableNXShowUI

{registry base key}\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"

{registry base key}\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
{install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"

Propagation

This worm creates the following folders in all removable drives:

  • {removable drive letter}:\DrvInf.{GUID}

It drops the following copy(ies) of itself in all removable drives:

  • {removable drive letter}:\~drvcore.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbade code}
[Autorun]
{garbade code}
open=CMD /C START DrvInf.{GUID}\drvinf-x034697.core
{garbade code}
icon=%windir%\system32\SHELL32.dll,3
{garbade code}
action=Open drive to browse contents.
{garbade code}
shell\open=Open
{garbade code}
shell\open\command=CMD /C START DrvInf.{GUID}\drvinf-x034697.core
{garbade code}
shell\open\default=1
{garbade code}
useautoplay=1
{garbade code}

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • "TEATIMER.EXE"
  • "MRT.EXE"
  • "MRTSTRUB.EXE"
  • "TCPVIEW.EXE"
  • "HIJACKTHIS.EXE"
  • "MSMPENG.EXE"
  • "MSASCUI.EXE"
  • "MPCMDRUN.EXE"
  • "USBGUARD.EXE"
  • "BILLY.EXE"
  • "AADRIVE32.EXE"

Dropping Routine

This worm drops the following files:

  • {removable/network drive letter}:\b.cpl -detected as TROJ_STARTER.BI
  • {removable/network drive letter}:\ahn{number}.lnk - detected as EXPL_CPLINK.LH
  • {removable/network drive letter}:\Autorun.inf - detected as Possible_OtorunJ

Download Routine

This worm downloads updated copies of itself from the following websites:

  • http://{BLOCKED}.{BLOCKED}.35.28/awstats/rdat02.txt
  • http://vps452.{BLOCKED}ckupsrv.su/net/5x2.zip

Other Details

This worm connects to the following possibly malicious URL:

  • s48.{BLOCKED}ore.su
  • s59.{BLOCKED}rog.su
  • s66.{BLOCKED}rog.su
  • s73.{BLOCKED}rog.su
  • s81.{BLOCKED}rog.su
  • s48.{BLOCKED}ore.su

NOTES:

The term {registry base key} can be any of the following:

  • HKEY_LOCAL_MACHINE - user belongs to Administrator group
  • HKEY_CURRENT_USER - user is a non-Administrator

The term {install directory} can be any of the following:

  • %System% - user belongs to Administrator group
  • %User Profile%\Network - user is a non-Administrator

This worm downloads an updated copy of itself as {removable/network drive letter}:\DrvInf.{GUID}\drvinf-x034697.core. It checks its environment when executing. It terminates and deletes itself if any of the following conditions are true:

  • The full file path contains the following strings:
    • sample
    • virus
    • sand-box
    • sandbox
    • malware
    • test
  • The computer name is VMG-CLIENT
  • The computer name contains the following strings:
    • MORTE
    • Malekal
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
  • The user name is VMG-CLIENT
  • The user name contains the following strings:
    • MORTE
    • Malekal
    • HOME-OFF-D5F0AC
    • DELL-D3E62F7E26
    • KAKAPROU-6405DA
    • klasnich
  • The machine is running on a virtual environment. It checks the registry for the following strings to determine this condition:
    • VMware
    • VBox
    • Virtual
    • QEMU
  • A running process contains the following string:
    • vbox
    • vmsrvc
    • vmware
    • tcpview
    • wireshark.exe
    • regshot.exe
    • procmon.exe
    • filemon.exe
    • regmon.exe
    • procdump.exe
    • cports.exe
    • procexp.exe
    • squid.exe
    • dumpcap.exe
    • sbiectrl.exe
  • Any application window of the following:

    • The WireShark NetWork Analyzer
    • Microsoft Network Monitor 3.3
    • SmartSniff
    • CurrPorts
    • TCPViewClass
    • Process Monitor - Sysinternals: www.sysinternals.com
    • Regshot 1.8.2
    • Process Explorer
  • Any of the following files exist:
    • %Program Files%\WinPcap\rpcapd.exe
    • %Program Files%\WireShark\rawshark.exe
    • %Program Files%\Ethereal\ethereal.html
    • %Program Files%\Microsoft Network Monitor 3\netmon.exe

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine:

9.750

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by WORM_PALEVO.RE. (Note: Please skip this step if the threat(s) listed below have already been removed.)

    • TROJ_STARTER.BI
    • EXPL_CPLINK.LH
    • Possible_OtorunJ

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Scan your computer with your Trend Micro product and note files detected as WORM_PALEVO.RE

Step 5

Restart in Safe Mode

[ Learn More ]

Step 6

Search and delete the files detected as WORM_PALEVO.RE

*Note: Some component files may be hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

To stop the malware/grayware from running when certain files are opened:

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Right-click Start then click Search....
  2. In the File name* input box, type the name of the file that was detected earlier.
  3. In the Look In drop-down list, select My Computer then press Enter.
  4. Once located, select the file then press SHIFT+DELETE to delete it.
    *Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012 (R2):

  1. Open a Windows Explorer window.
    • For Windows Vista, 7, and Server 2008 users, click Start>Computer.
    • For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen,then click File Explorer.
  2. In the Search Computer/This PC input box, type the name of the file that was detected earlier.
  3. Once located, select the file then press SHIFT+DELETE to delete it.
    *Note: Read the following Microsoft page if these steps do not work on Windows 7.

Step 7

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • {install directory}\wmpkv32.exe = DisableNXShowUI
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • {install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • {install directory}\wmpkv32.exe = DisableNXShowUI
  • In HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"
  • In HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
    • {install path}\wmpkv32.exe = "{install path}\wmpkv32.exe:*:Enabled:WinMediaServer"

Step 8

Search and delete AUTORUN.INF files created by WORM_PALEVO.RE that contain these strings

[ Learn More ]
{garbade code} [Autorun] {garbade code} open=CMD /C START DrvInf.{645FF040-5081-101B-9F08-00AA002F954E}\drvinf-x034697.core {garbade code} icon=%windir%\system32\SHELL32.dll,3 {garbade code} action=Open drive to browse contents. {garbade code} shell\open=Open {garbade code} shell\open\command=CMD /C START DrvInf.{645FF040-5081-101B-9F08-00AA002F954E}\drvinf-x034697.core {garbade code} shell\open\default=1 {garbade code} useautoplay=1 {garbade code}

Step 9

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • {removable/network drive letter}:\DrvInf.{GUID}

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_PALEVO.RE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.