WORM_PROLACO.SMF

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\wmimngr.exe
• %System%\wmimngr.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER
Java micro kernel = %System%\\wpmgr.exe

HKEY_CURRENT_USER
Windows Management = %System%\\wmimngr.exe

HKEY_CURRENT_USER
Java micro kernel = %System%\\wpmgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{IY5PT2EV-C68O-F6ER-1U30-C8N4T42W4OAP}
StubPath = %System%\wpmgr.exe

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\SystemRestore
DisableSR = 1

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion
(Default) = {random characters}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
drv5 = {month of execution}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
drv6 = {day of execution}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%wmimngr.exe = %System%wmimngr.exe:*:Enabled:Explorer

Propagation

This worm creates the following folders in all removable drives:

• {drive letter}:\RECYCLER
• {drive letter}:\RECYCLER\{SID}

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• %Program Files%\bearshare\shared
• %Program Files%\edonkey2000\incoming
• %Program Files%\emule\incoming\
• %Program Files%\grokster\my grokster
• %Program Files%\grokster\my grokster\
• %Program Files%\icq\shared folder\
• %Program Files%\kazaa lite k++\my shared folder
• %Program Files%\kazaa lite\my shared folder
• %Program Files%\kazaa\my shared folder
• %Program Files%\limewire\shared\
• %Program Files%\morpheus\my shared folder\
• %Program Files%\tesla\files\
• %Program Files%\winmx\shared\
• %System Root%\Downloads\
• %User Profile%\My Documents\Frostwire\shared

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following copy(ies) of itself in all removable drives:

• {drive letter}:\RECYCLER\{SID}\redmond.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=RECYCLER\{SID}\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\{SID}\redmond.exe
shell\open\default=1

Process Termination

This worm terminates the following services if found on the affected system:

• AntiVirScheduler
• antivirservice
• APVXDWIN
• Arrakis3
• aswupdsv
• avast
• avast! Antivirus
• avast! Mail Scanner
• avast! Web Scanner
• AVG8_TRA
• avg8emc
• avg8wd
• AVP
• BDAgent
• bdss
• CaCCProvSP
• CAVRID
• ccproxy
• ccpwdsv
• ccsetmg
• cctray
• DrWebSch
• eduler
• egui
• Ehttpsrvekrn
• Emproxy
• ERSvc
• F-PROT Antivirus Tray application
• FPAVServ
• GWMSRV
• ISTray
• K7EmlPxy
• K7RTScan
• K7SystemTray
• K7TSMngr
• K7TSStar
• LIVESRV
• liveupdate
• LiveUpdate Notice Service
• McAfee HackerWatch Service
• McENUI
• mcmisupdmgr
• mcmscsvc
• MCNASVC
• mcODS
• mcpromgr
• mcproxy
• mcredirector
• mcshield
• mcsysmon
• MPFSERVICE
• MPS9
• msk80service
• MskAgentexe
• navapsvc
• npfmntor
• nscservice
• OfficeScanNT Monitor SpamBlocker
• PANDA SOFTWARE CONTROLLER
• PAVFNSVR
• PAVPRSRV
• PAVSVR
• PSHOST
• PSIMSVC
• PSKSVCRE
• RavTask
• RSCCenter
• RSRavMon
• Savadmin
• SAVScan
• Savservice
• sbamsvc
• SBAMTra
• sbamui
• scan
• SCANINICIO
• sdauxservice
• sdcodeservice
• Service
• service
• sndsrvc
• Sophos Autoupdate Service
• Spam Blocker for Outlook Express
• spbbcsvc
• SpIDerMail
• Symantec Core LCccEvtMgr
• TAIL
• ThreatFire
• TPSRV
• VSSERV
• WerSvc
• WinDefend
• Windows Defender
• wscsvc
• XCOMM

It terminates the following processes if found running in the affected system's memory:

• AlMon.exe
• ALSvc.exe
• APvxdwin.ex
• ashdisp.exe
• ashserv.exe
• avcenter.exe
• avciman.exe
• AVENGINE.exe
• avgcsrvx.exe
• avgemc.exe
• avgnt.exe
• avgrsx.exe
• avgtray.exe
• avguard.exe
• avgui.exe
• avgwdsvc.exe
• avp.exe
• bdagent.exe
• bdss.exe
• CCenter.exe
• drweb32w.exe
• drwebupw.exe
• egui.exe
• ekrn.exe
• emproxy.exe
• FPAVServer.exe
• FprotTray.exe
• FPWin.exe
• guardgui.exe
• HWAPI.exe
• iface.exe
• isafe.exe
• K7EmlPxy.exe
• K7RTScan.exe
• K7SysTry.exe
• K7TSecurity.exe
• K7TSMngr.exe
• livesrv.exe
• mcagent.exe
• mcmscsvc.exe
• McNASvc.exe
• mcods.exe
• mcpromgr.exe
• McProxy.exe
• Mcshield.exe
• mcsysmon.exe
• mcvsshld.exe
• MpfSrv.exe
• mps.exe
• mskagent.exe
• msksrver.exe
• NTRtScan.exe
• Pavbckpt.exe
• PavFnSvr.exe
• PavPrSrv.exe
• PAVSRV51.exe
• pccnt.exe
• PSCtrlS.exe
• PShost.exe
• PsIMSVC.exe
• psksvc.exe
• Rav.exe
• RavMon.exe
• RavmonD.exe
• RavStub.exe
• RavTask.exe
• RedirSvc.exe
• SavAdminService.exe
• SavMain.exe
• SavService.exe
• sbamtray.exe
• sbamui.exe
• seccenter.exe
• spidergui.exe
• SrvLoad.exe
• TmListen.exe
• TPSRV.exe
• vetmsg.exe
• vsserv.exe
• Webproxy.exe
• xcommsvr.exe

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• AlMon.exe
• ALSvc.exe
• APvxdwin.ex
• ashdisp.exe
• ashserv.exe
• avcenter.exe
• avciman.exe
• AVENGINE.exe
• avgcsrvx.exe
• avgemc.exe
• avgnt.exe
• avgrsx.exe
• avgtray.exe
• avguard.exe
• avgui.exe
• avgwdsvc.exe
• avp.exe
• bdagent.exe
• bdss.exe
• CCenter.exe
• drweb32w.exe
• drwebupw.exe
• egui.exe
• ekrn.exe
• emproxy.exe
• FPAVServer.exe
• FprotTray.exe
• FPWin.exe
• guardgui.exe
• HWAPI.exe
• iface.exe
• isafe.exe
• K7EmlPxy.exe
• K7RTScan.exe
• K7SysTry.exe
• K7TSecurity.exe
• K7TSMngr.exe
• livesrv.exe
• mcagent.exe
• mcmscsvc.exe
• McNASvc.exe
• mcods.exe
• mcpromgr.exe
• McProxy.exe
• Mcshield.exe
• mcsysmon.exe
• mcvsshld.exe
• MpfSrv.exe
• mps.exe
• mskagent.exe
• msksrver.exe
• NTRtScan.exe
• Pavbckpt.exe
• PavFnSvr.exe
• PavPrSrv.exe
• PAVSRV51.exe
• pccnt.exe
• PSCtrlS.exe
• PShost.exe
• PsIMSVC.exe
• psksvc.exe
• Rav.exe
• RavMon.exe
• RavmonD.exe
• RavStub.exe
• RavTask.exe
• RedirSvc.exe
• SavAdminService.exe
• SavMain.exe
• SavService.exe
• sbamtray.exe
• sbamui.exe
• seccenter.exe
• spidergui.exe
• SrvLoad.exe
• TmListen.exe
• TPSRV.exe
• vetmsg.exe
• vsserv.exe
• Webproxy.exe
• xcommsvr.exe

It terminates the following malware-related processes:

• AntiVirScheduler
• antivirservice
• APVXDWIN
• Arrakis3
• aswupdsv
• avast avast!
• Antivirus avast!
• Mail Scanner avast!
• Web Scanner
• AVG8_TRA
• avg8emc
• avg8wd
• AVP
• BDAgent
• bdss
• CaCCProvSP
• CAVRID
• ccproxy
• ccpwdsv
• ccsetmg
• cctray
• DrWebSch
• eduler
• egui
• Ehttpsrvekrn
• Emproxy ERSvc
• F-PROT Antivirus Tray application
• FPAVServ
• GWMSRV
• ISTray
• K7EmlPxy
• K7RTScan
• K7SystemTray
• K7TSMngr
• K7TSStar
• LIVESRV
• liveupdate
• LiveUpdate Notice Service
• McAfee HackerWatch Service
• McENUI
• mcmisupdmgr
• mcmscsvc
• MCNASVC
• mcODS
• mcpromgr
• mcproxy mcredirector
• mcshield
• mcsysmon
• MPFSERVICE
• MPS9
• msk80service
• MskAgentexe
• navapsvc
• npfmntor
• nscservice
• OfficeScanNT Monitor
• SpamBlocker
• PANDA SOFTWARE
• CONTROLLER
• PAVFNSVR
• PAVPRSRV
• PAVSVR
• PSHOST
• PSIMSVC
• PSKSVCRE RavTask
• RSCCenter
• RSRavMon
• Savadmin
• SAVScan
• Savservice
• sbamsvc
• SBAMTra sbamui scan
• SCANINICIO
• sdauxservice
• sdcodeservice Service
• service sndsrvc
• Sophos Autoupdate Service Spam Blocker for Outlook Express
• spbbcsvc SpIDerMail
• Symantec Core LCccEvtMgr
• TAIL ThreatFire
• TPSRV VSSERV
• WerSvc
• WinDefend Windows Defender
• wscsvc
• XCOMM

Dropping Routine

This worm drops the following file(s), which it uses for its keylogging routine:

• %Windows%\oracle.ocx

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It sets the attributes of its dropped file(s) to the following:

• Hidden
• Read-Only
• System

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• http://{BLOCKED}yip.com/automation/n09230945.asp