WORM_PALEVO

PALEVO malware are worms known to be part of the Mariposa botnet. These worms are known to arrive via three different means: peer-to-peer (P2P) sharing programs such as Kazaa and Limewire, instant messengers like MSN Messenger, and via removable drives.

PALEVO malware are basically downloaders but can perform several other malicious routines such as stealing login credentials and other online-banking-related information, as well as corporate and personal data. It can also initiate distributed denial of service (DDoS) attacks.

PALEVO malware also connect to specific sites to send and receive commands from C&C servers. Commands it can execute range from downloading files, scanning ports, and performing DDoS attacks against target addresses.

In addition, PALEVO malware also use different encryption techniques to hide their main executable files. They typically act as bot toolkits with modularized functions and are sold in the underground market.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\{SID}\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• {drive letter}\{random foldername}/{random file name}.exe
• %Application Data%\{random file name}.exe
• %System Root%\RECYCLER\{SID}\{random file name}.exe
• %User Profile%\{random file name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

• %System Root%\RECYCLER\{SID}
• {drive letter}\{random folder name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%User Profile%\{random filename}.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%Application Data%\{random filename}.exe "

Other Details

This worm connects to the following possibly malicious URL:

• {BLOCKED}.{BLOCKED}.155.190/omv/petrol80.exe
• {BLOCKED}.{BLOCKED}.190.237
• {BLOCKED}bam.info
• banana.{BLOCKED}nds.su
• {BLOCKED}rystorm.net
• jebena.{BLOCKED}olic.su
• juice.{BLOCKED}cala.org
• l33t.{BLOCKED}othes.net
• {BLOCKED}dcast.com
• murik.{BLOCKED}tection.net.ru
• {BLOCKED}ucks.com
• peer.{BLOCKED}losarske.ru
• pica.{BLOCKED}cke-ljepotice.ru
• portal.{BLOCKED}werbord.com
• sandra.{BLOCKED}nica.com
• shohtha3.{BLOCKED}a.com
• slade.{BLOCKED}enumber.com
• teske.{BLOCKED}rke.com
• {BLOCKED}ize.com
• world.{BLOCKED}udio.ru