WORM_PALEVO.EQAZ

This worm arrives via removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk. It connects to a website to send and receive information.

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\{SID}\Desktop.ini
• {Removable drive}:\vircure\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\{SID}\MsMxEng.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\RECYCLER\{SID}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\{SID}\MsMxEng.exe"

Propagation

This worm creates the following folders in all removable drives:

• vircure

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• Ares Galaxy
• BearShare
• DC++
• eMule
• eMule Plus
• iMesh
• Shareaza
• Kazaa
• Limewire

It drops the following copy(ies) of itself in all removable drives:

• {Removable drive}:\vircure\vircure32.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage codes}
[autorun
;{garbage codes}
open=vircure/vircure32.exe
;{garbage codes}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage codes}
action=Open folder to view files using Windows Explorer
;{garbage codes}
USEAUToplay=1
;{garbage codes}
shell\open\\command=vircure/vircure32.exe
;{garbage codes}
shell\\explore\command=vircure/vircure32.exe
;{garbage codes}

Backdoor Routine

This worm executes the following command(s) from a remote malicious user:

• Perform DoS attack
• Download and execute files from a remote site
• Propagate itself via shared folders and P2P networks
• Propagate itself via MSN Messenger
• Perform port scans
• Open a remote desktop connection
• Terminate itself

It connects to the following websites to send and receive information:

• {BLOCKED}petition.com
• {BLOCKED}eslounge.com
• {BLOCKED}lmind.cn

As of this writing, the said sites are inaccessible.

NOTES:

Information Theft

This worm gathers the following information on the affected computer:

• Mozilla Firefox account information
• Protected Storage credentials
• Internet Explorer AutoComplete passwords

Other Details

It may also arrive via MSN Messenger.

It does not continue with its malicious routine if it finds that its file name is C:\file.exe or if the logged user name is "CurrentUser"

The dropped AUTORUN.INF file is detected as TROJ_OTORUN.SMX.