WORM_PROLACO.SMF

 Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Propagates via email, Propagates via peer-to-peer networks


This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

08 Jul 2010

Payload:

Connects to URLs/Ips, Terminates processes

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\wmimngr.exe
  • %System%\wmimngr.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER
Java micro kernel = %System%\\wpmgr.exe

HKEY_CURRENT_USER
Windows Management = %System%\\wmimngr.exe

HKEY_CURRENT_USER
Java micro kernel = %System%\\wpmgr.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{IY5PT2EV-C68O-F6ER-1U30-C8N4T42W4OAP}
StubPath = %System%\wpmgr.exe

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
WindowsNT\CurrentVersion\SystemRestore
DisableSR = 1

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion
(Default) = {random characters}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
drv5 = {month of execution}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
drv6 = {day of execution}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%wmimngr.exe = %System%wmimngr.exe:*:Enabled:Explorer

Propagation

This worm creates the following folders in all removable drives:

  • {drive letter}:\RECYCLER
  • {drive letter}:\RECYCLER\{SID}

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

  • %Program Files%\bearshare\shared
  • %Program Files%\edonkey2000\incoming
  • %Program Files%\emule\incoming\
  • %Program Files%\grokster\my grokster
  • %Program Files%\grokster\my grokster\
  • %Program Files%\icq\shared folder\
  • %Program Files%\kazaa lite k++\my shared folder
  • %Program Files%\kazaa lite\my shared folder
  • %Program Files%\kazaa\my shared folder
  • %Program Files%\limewire\shared\
  • %Program Files%\morpheus\my shared folder\
  • %Program Files%\tesla\files\
  • %Program Files%\winmx\shared\
  • %System Root%\Downloads\
  • %User Profile%\My Documents\Frostwire\shared

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\RECYCLER\{SID}\redmond.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=RECYCLER\{SID}\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\{SID}\redmond.exe
shell\open\default=1

Process Termination

This worm terminates the following services if found on the affected system:

  • AntiVirScheduler
  • antivirservice
  • APVXDWIN
  • Arrakis3
  • aswupdsv
  • avast
  • avast! Antivirus
  • avast! Mail Scanner
  • avast! Web Scanner
  • AVG8_TRA
  • avg8emc
  • avg8wd
  • AVP
  • BDAgent
  • bdss
  • CaCCProvSP
  • CAVRID
  • ccproxy
  • ccpwdsv
  • ccsetmg
  • cctray
  • DrWebSch
  • eduler
  • egui
  • Ehttpsrvekrn
  • Emproxy
  • ERSvc
  • F-PROT Antivirus Tray application
  • FPAVServ
  • GWMSRV
  • ISTray
  • K7EmlPxy
  • K7RTScan
  • K7SystemTray
  • K7TSMngr
  • K7TSStar
  • LIVESRV
  • liveupdate
  • LiveUpdate Notice Service
  • McAfee HackerWatch Service
  • McENUI
  • mcmisupdmgr
  • mcmscsvc
  • MCNASVC
  • mcODS
  • mcpromgr
  • mcproxy
  • mcredirector
  • mcshield
  • mcsysmon
  • MPFSERVICE
  • MPS9
  • msk80service
  • MskAgentexe
  • navapsvc
  • npfmntor
  • nscservice
  • OfficeScanNT Monitor SpamBlocker
  • PANDA SOFTWARE CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRE
  • RavTask
  • RSCCenter
  • RSRavMon
  • Savadmin
  • SAVScan
  • Savservice
  • sbamsvc
  • SBAMTra
  • sbamui
  • scan
  • SCANINICIO
  • sdauxservice
  • sdcodeservice
  • Service
  • service
  • sndsrvc
  • Sophos Autoupdate Service
  • Spam Blocker for Outlook Express
  • spbbcsvc
  • SpIDerMail
  • Symantec Core LCccEvtMgr
  • TAIL
  • ThreatFire
  • TPSRV
  • VSSERV
  • WerSvc
  • WinDefend
  • Windows Defender
  • wscsvc
  • XCOMM

It terminates the following processes if found running in the affected system's memory:

  • AlMon.exe
  • ALSvc.exe
  • APvxdwin.ex
  • ashdisp.exe
  • ashserv.exe
  • avcenter.exe
  • avciman.exe
  • AVENGINE.exe
  • avgcsrvx.exe
  • avgemc.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • bdagent.exe
  • bdss.exe
  • CCenter.exe
  • drweb32w.exe
  • drwebupw.exe
  • egui.exe
  • ekrn.exe
  • emproxy.exe
  • FPAVServer.exe
  • FprotTray.exe
  • FPWin.exe
  • guardgui.exe
  • HWAPI.exe
  • iface.exe
  • isafe.exe
  • K7EmlPxy.exe
  • K7RTScan.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • K7TSMngr.exe
  • livesrv.exe
  • mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcods.exe
  • mcpromgr.exe
  • McProxy.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • mps.exe
  • mskagent.exe
  • msksrver.exe
  • NTRtScan.exe
  • Pavbckpt.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PAVSRV51.exe
  • pccnt.exe
  • PSCtrlS.exe
  • PShost.exe
  • PsIMSVC.exe
  • psksvc.exe
  • Rav.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • RedirSvc.exe
  • SavAdminService.exe
  • SavMain.exe
  • SavService.exe
  • sbamtray.exe
  • sbamui.exe
  • seccenter.exe
  • spidergui.exe
  • SrvLoad.exe
  • TmListen.exe
  • TPSRV.exe
  • vetmsg.exe
  • vsserv.exe
  • Webproxy.exe
  • xcommsvr.exe

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • AlMon.exe
  • ALSvc.exe
  • APvxdwin.ex
  • ashdisp.exe
  • ashserv.exe
  • avcenter.exe
  • avciman.exe
  • AVENGINE.exe
  • avgcsrvx.exe
  • avgemc.exe
  • avgnt.exe
  • avgrsx.exe
  • avgtray.exe
  • avguard.exe
  • avgui.exe
  • avgwdsvc.exe
  • avp.exe
  • bdagent.exe
  • bdss.exe
  • CCenter.exe
  • drweb32w.exe
  • drwebupw.exe
  • egui.exe
  • ekrn.exe
  • emproxy.exe
  • FPAVServer.exe
  • FprotTray.exe
  • FPWin.exe
  • guardgui.exe
  • HWAPI.exe
  • iface.exe
  • isafe.exe
  • K7EmlPxy.exe
  • K7RTScan.exe
  • K7SysTry.exe
  • K7TSecurity.exe
  • K7TSMngr.exe
  • livesrv.exe
  • mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • mcods.exe
  • mcpromgr.exe
  • McProxy.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • mps.exe
  • mskagent.exe
  • msksrver.exe
  • NTRtScan.exe
  • Pavbckpt.exe
  • PavFnSvr.exe
  • PavPrSrv.exe
  • PAVSRV51.exe
  • pccnt.exe
  • PSCtrlS.exe
  • PShost.exe
  • PsIMSVC.exe
  • psksvc.exe
  • Rav.exe
  • RavMon.exe
  • RavmonD.exe
  • RavStub.exe
  • RavTask.exe
  • RedirSvc.exe
  • SavAdminService.exe
  • SavMain.exe
  • SavService.exe
  • sbamtray.exe
  • sbamui.exe
  • seccenter.exe
  • spidergui.exe
  • SrvLoad.exe
  • TmListen.exe
  • TPSRV.exe
  • vetmsg.exe
  • vsserv.exe
  • Webproxy.exe
  • xcommsvr.exe

It terminates the following malware-related processes:

  • AntiVirScheduler
  • antivirservice
  • APVXDWIN
  • Arrakis3
  • aswupdsv
  • avast avast!
  • Antivirus avast!
  • Mail Scanner avast!
  • Web Scanner
  • AVG8_TRA
  • avg8emc
  • avg8wd
  • AVP
  • BDAgent
  • bdss
  • CaCCProvSP
  • CAVRID
  • ccproxy
  • ccpwdsv
  • ccsetmg
  • cctray
  • DrWebSch
  • eduler
  • egui
  • Ehttpsrvekrn
  • Emproxy ERSvc
  • F-PROT Antivirus Tray application
  • FPAVServ
  • GWMSRV
  • ISTray
  • K7EmlPxy
  • K7RTScan
  • K7SystemTray
  • K7TSMngr
  • K7TSStar
  • LIVESRV
  • liveupdate
  • LiveUpdate Notice Service
  • McAfee HackerWatch Service
  • McENUI
  • mcmisupdmgr
  • mcmscsvc
  • MCNASVC
  • mcODS
  • mcpromgr
  • mcproxy mcredirector
  • mcshield
  • mcsysmon
  • MPFSERVICE
  • MPS9
  • msk80service
  • MskAgentexe
  • navapsvc
  • npfmntor
  • nscservice
  • OfficeScanNT Monitor
  • SpamBlocker
  • PANDA SOFTWARE
  • CONTROLLER
  • PAVFNSVR
  • PAVPRSRV
  • PAVSVR
  • PSHOST
  • PSIMSVC
  • PSKSVCRE RavTask
  • RSCCenter
  • RSRavMon
  • Savadmin
  • SAVScan
  • Savservice
  • sbamsvc
  • SBAMTra sbamui scan
  • SCANINICIO
  • sdauxservice
  • sdcodeservice Service
  • service sndsrvc
  • Sophos Autoupdate Service Spam Blocker for Outlook Express
  • spbbcsvc SpIDerMail
  • Symantec Core LCccEvtMgr
  • TAIL ThreatFire
  • TPSRV VSSERV
  • WerSvc
  • WinDefend Windows Defender
  • wscsvc
  • XCOMM

Dropping Routine

This worm drops the following file(s), which it uses for its keylogging routine:

  • %Windows%\oracle.ocx

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It sets the attributes of its dropped file(s) to the following:

  • Hidden
  • Read-Only
  • System

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://{BLOCKED}yip.com/automation/n09230945.asp

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI OPR PATTERN File:

7.294.00

VSAPI OPR PATTERN Date:

08 Jul 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    • Java micro kernel = %System%\wpmgr.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Windows Management = %System%\wmimngr.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Java micro kernel = %System%\wpmgr.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{IY5PT2EV-C68O-F6ER-1U30-C8N4T42W4OAP}
    • StubPath = %System%\wpmgr.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
    • (Default) = {random characters}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA = 0
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • drv5 = {month of execution}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • drv6 = {day of execution}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • UACDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %System%wmimngr.exe = %System%wmimngr.exe:*:Enabled:Explorer

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
    • {IY5PT2EV-C68O-F6ER-1U30-C8N4T42W4OAP}

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
    • DisableSR = 1
      • DisableSR = 0

Step 6

Search and delete AUTORUN.INF files created by WORM_PROLACO.SMF that contain these strings

[ Learn More ]
[autorun]
open=RECYCLER\{SID}\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\{SID}\redmond.exe
shell\open\default=1

Step 7

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. [drive]:\RECYCLER\{SID}

Step 8

Search and delete these files

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. %Windows%\oracle.ocx

Step 9

Scan your computer with your Trend Micro product to delete files detected as WORM_PROLACO.SMF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 10

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again. (applicable to deleted registry entries)
AVG8_TRAY
AVP
BDAgent
CAVRID
DrWebScheduler
K7SystemTray
K7TSStart
OfficeScanNT Monitor
SBAMTray
SpIDerMail
Spam Blocker for Outlook Express
SpamBlocker
avast!
cctray
egui
sbamui


Did this description help? Tell us how we did.