WORM_PALEVO.DK

It drops copies of itself into folders used for certain peer-to-peer applications.

This worm arrives by connecting affected removable drives to a system. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It gathers certain information on the affected computer.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\s-1-5-21-{random number}\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\s-1-5-21-{random number}\msmxeng.exe.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\RECYCLER
• %System Root%\RECYCLER\s-1-5-21-{random number}
• {removable drive}:\var

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects threads into the following normal process(es):

• EXPLORER.EXE

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = %System Root%\RECYCLER\s-1-5-21-{random number}\msmxeng.exe.exe

Propagation

This worm creates the following folders in all removable drives:

• var

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun
;{garbage}
open=var/var32.exe
;{garbage}
icon=SHELL32.dll,4
;{garbage}
acTIon=Open folderáto view files usingáWindowsáExplorer
;{garbage}
shElL\oPEn\commaNd=var\\\\\\var32.exe
;{garbage}
SheLl\\\\exPLore\\\\\comMand=var/////////var32.exe
;{garbage}
useautoplay=1
;{garbage}

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• Perform DDoS attacks
• Download and execute files from a remote server
• Spread via shared folders and P2P networks
• Spread via MSN network
• Perform port scans

It connects to the following websites to send and receive information:

• {BLOCKED}lmind.cn
• {BLOCKED}racypetition.com
• {BLOCKED}eslounge.com

Information Theft

This worm gathers the following information on the affected computer:

• Mozilla Firefox account information
• Protected Storage credentials

Other Details

This worm does the following:

• It drops copies of itself into folders used for the following peer-to-peer applications:
  
  • Ares Galaxy
  • BearShare
  • DC++
  • eMule
  • eMule Plus
  • iMesh
  • Shareaza
  • Kazaa
  • Limewire