WORM_PALEVO.TEL
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Propagates via social networking websites and instant messaging applications
This worm is capable of sending messages containing a link pointing to a copy of itself via Facebook, Yahoo! Messenger and Windows Live Messenger.
It tries to connect to a list of websites. If a successful connection is mad, it will join a certain channel to send and receive information from/to its IRC C&C server. However, the said sites are currently inaccessible.
This worm may be downloaded by other malware/grayware/spyware from remote sites.
It modifies registry entries to disable various system services. This action prevents most of the system functions to be used.
However, as of this writing, the said sites are inaccessible.
It deletes the file(s) associated with the process(es) it terminates. It does the said routine to completely disable programs and applications.
TECHNICAL DETAILS
77,312 bytes
PE
Yes
07 Mar 2011
Connects to URLs/Ips, Compromises system security, Deletes files, Terminates services and processes
Arrival Details
This worm may be downloaded by other malware/grayware/spyware from remote sites.
Installation
This worm drops the following copies of itself into the affected system:
- %Windows%\nvsvc32.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- Nvidia Drive Mon
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
NVIDIA driver monitor = %Windows%\nvsvc32.exe
Other System Modifications
This worm modifies registry entries to disable the following system services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\MsMpSvc
Start = 4
(Note: The default value data of the said registry entry is 2.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = %Windows%\nvsvc32.exe:Enabled:NVIDIA driver monitor
Backdoor Routine
However, as of this writing, the said sites are inaccessible.
Process Termination
This worm terminates the following services if found on the affected system:
- wuauserv
- MsMpSvc
It terminates the following processes if found running in the affected system's memory:
- msseces.exe
It deletes the file(s) associated with the process(es) it terminates. It does the said routine to completely disable programs and applications.
NOTES:
Installation
If it was not able to drop a copy of itself in the %Windows% directory, it will try to drop a copy of itself as the following:
- %Public%\nvsvc32.exe
- %Program Files%\nvsvc32.exe
Propagation Via Social Networking Sites and Instant Messenger Applications
This worm is capable of sending messages containing a link pointing to a copy of itself via Facebook, Yahoo! Messenger and Windows Live Messenger.
Backdoor Routines
It tries to connect to any of the following sites:
- {BLOCKED}oshistory.info
- ale.{BLOCKED}li.com
- {BLOCKED}o.ic.ac.uk
- ate.{BLOCKED}elera.net
- beta.{BLOCKED}n.ro
- {BLOCKED}users.myspace.com
- {BLOCKED}emccloskey.org
- epp.{BLOCKED}log.jp
- {BLOCKED}rlounge.de
- {BLOCKED}ads.com
- {BLOCKED}ger.x-y.net
- {BLOCKED}m.uh.edu
- {BLOCKED}highered.com
- jb.{BLOCKED}m.org
- {BLOCKED}lofaccountancy.com
- {BLOCKED}ls.lww.com
- love.{BLOCKED}1234.com
- mas.{BLOCKED}p.com
- mas.{BLOCKED}ntada.com
- mas.{BLOCKED}um.info
- mas.{BLOCKED}k.com
- mas.{BLOCKED}bakugan.net
- mas.{BLOCKED}e.com
- mas.{BLOCKED}a.cl
- mas.{BLOCKED}e.ac.at
- mcsp.{BLOCKED}ne.com
- {BLOCKED}astpost.org
- mix.{BLOCKED}rotske.in.rs
- mix.{BLOCKED}uristclub.com
- mmm.{BLOCKED}atrust.org
- old.{BLOCKED}yt2tugas.com
- old.{BLOCKED}u.com
- ols.{BLOCKED}ofadown.com
- ope.{BLOCKED}dathletics.com
- opl.{BLOCKED}n.irf.se
- pra.{BLOCKED}s.org
- pru.{BLOCKED}nes.org
- qun.{BLOCKED}1.com
- r{BLOCKED}-action.org.uk
- {BLOCKED}service.com
- {BLOCKED}idyscrubs.com
- {BLOCKED}yle.com
- {BLOCKED}mpton.ac.uk
- {BLOCKED}time.info
- {BLOCKED}-uni-sw.eesp.ch
- {BLOCKED}ationale.org
- {BLOCKED}visor.com
- uks.{BLOCKED}in.com
- {BLOCKED}ed.com
- {BLOCKED}ek.com
- {BLOCKED}etrafficspy.com
- {BLOCKED}supdate.jebac.net
- www.{BLOCKED}e.com
- www.{BLOCKED}an.com
- x.{BLOCKED}ecdn.com
- xxx.{BLOCKED}m.de
- xxx.{BLOCKED}atka.pl
It also opens the page http://{BLOCKED}users.myspace.com/Browse/Browse.aspx.
SOLUTION
8.900
under testing
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Identify and terminate files detected as WORM_PALEVO.TEL
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- NVIDIA driver monitor = %Windows%\nvsvc32.exe
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path and file name} = %Windows%\nvsvc32.exe:Enabled:NVIDIA driver monitor
- {malware path and file name} = %Windows%\nvsvc32.exe:Enabled:NVIDIA driver monitor
Step 4
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Start = 4
To: Start = 2
- From: Start = 4
- InHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsMpSvc
- From: Start = 4
To: Start = 2
- From: Start = 4
Step 5
Scan your computer with your Trend Micro product to delete files detected as WORM_PALEVO.TEL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- msseces.exe
Did this description help? Tell us how we did.