WORM_PALEVO.ARL

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This worm may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\jusched.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Java developer Script Browse = %Windows%\jusched.exe

Other System Modifications

This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4

(Note: The default value data of the said registry entry is 2.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%Program Files%\MSN Messenger\msnmsgr.exe = %Program Files%\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Me ssenger 7.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{Malware Path and File Name} = {Malware Path and File Name}:*:Enabled:1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\MSN Messenger\msnmsgr.exe = %Program Files%\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

Propagation

This worm sends copies of itself to target recipients using the following instant-messaging (IM) applications:

• Yahoo! Messenger
• MSN Messenger
• Skype

Backdoor Routine

This worm connects to any of the following IRC server(s):

• nuevo.{BLOCKED}ardigital.com
• server1.{BLOCKED}ootmusic.com

Adware Routine

This worm connects to the following URLs to download and display ads:

• http://browseusers.{BLOCKED}ce.com/Browse/Browse.aspx
• http://x.{BLOCKED}cecdn.com
• http://js.{BLOCKED}cecdn.com
• http://c3.ac-images.{BLOCKED}cecdn.com
• http://p.ic.{BLOCKED}t.com
• http://{BLOCKED}.{BLOCKED}.36.96/index.php

Other Details

Based on analysis of the codes, it has the following capabilities:

• This worm attempts to establish connection to the following remote host on port 80:
  • {BLOCKED}.{BLOCKED}.38.168
  • {BLOCKED}.{BLOCKED}.36.96
  • {BLOCKED}.{BLOCKED}.80.58
  • {BLOCKED}.{BLOCKED}.86.23
  • {BLOCKED}.{BLOCKED}.86.30
  • {BLOCKED}.{BLOCKED}.86.37
  • {BLOCKED}.{BLOCKED}.131.147
  • {BLOCKED}.{BLOCKED}.131.148
  • {BLOCKED}.{BLOCKED}.131.149
  • {BLOCKED}.{BLOCKED}.131.150
  • {BLOCKED}.{BLOCKED}.131.156
  • {BLOCKED}.{BLOCKED}.131.163
  • {BLOCKED}.{BLOCKED}.131.174
  • {BLOCKED}.{BLOCKED}.131.181
  • {BLOCKED}.{BLOCKED}.131.182
  • {BLOCKED}.{BLOCKED}.131.187
  • {BLOCKED}.{BLOCKED}.71.154
  • {BLOCKED}.{BLOCKED}.71.166
• It tries to open port 2345 in an attempt to join any of the following IRC server:
  • server1.{BLOCKED}ootmusic.com
  • nuevo.{BLOCKED}ardigital.com
• It uses the following credentials to join the IRC server:

  PASS xxx
  NICK NEW-[USA|00|P|83944] USER XP-5814 * 0 :{Computer Name}

• Once a successful connection is established, it sends the following message that contains a link pointing to a copy of itself:

  #gf! :.m.s|.m.e is this you on pic?