PALEVO
Rimecud, Pilleuz, Palevo
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
PALEVO malware are worms known to be part of the Mariposa botnet. These worms are known to arrive via three different means: peer-to-peer (P2P) sharing programs such as Kazaa and Limewire, instant messengers like MSN Messenger, and via removable drives.
PALEVO malware are basically downloaders but can perform several other malicious routines such as stealing login credentials and other online-banking-related information, as well as corporate and personal data. It can also initiate distributed denial of service (DDoS) attacks.
PALEVO malware also connect to specific sites to send and receive commands from C&C servers. Commands it can execute range from downloading files, scanning ports, and performing DDoS attacks against target addresses.
In addition, PALEVO malware also use different encryption techniques to hide their main executable files. They typically act as bot toolkits with modularized functions and are sold in the underground market.
TECHNICAL DETAILS
Installation
This worm drops the following non-malicious files:
- %System Root%\RECYCLER\{SID}\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It drops the following copies of itself into the affected system:
- {drive letter}\{random foldername}/{random file name}.exe
- %Application Data%\{random file name}.exe
- %System Root%\RECYCLER\{SID}\{random file name}.exe
- %User Profile%\{random file name}.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %System Root%\RECYCLER\{SID}
- {drive letter}\{random folder name}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%User Profile%\{random filename}.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%Application Data%\{random filename}.exe "
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.155.190/omv/petrol80.exe
- {BLOCKED}.{BLOCKED}.190.237
- {BLOCKED}bam.info
- banana.{BLOCKED}nds.su
- {BLOCKED}rystorm.net
- jebena.{BLOCKED}olic.su
- juice.{BLOCKED}cala.org
- l33t.{BLOCKED}othes.net
- {BLOCKED}dcast.com
- murik.{BLOCKED}tection.net.ru
- {BLOCKED}ucks.com
- peer.{BLOCKED}losarske.ru
- pica.{BLOCKED}cke-ljepotice.ru
- portal.{BLOCKED}werbord.com
- sandra.{BLOCKED}nica.com
- shohtha3.{BLOCKED}a.com
- slade.{BLOCKED}enumber.com
- teske.{BLOCKED}rke.com
- {BLOCKED}ize.com
- world.{BLOCKED}udio.ru