WORM_PALEVO.SMIT

This worm arrives via removable drives. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk. It connects to a website to send and receive information.

It gathers certain information on the affected computer.

Arrival Details

This worm arrives via removable drives.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\{random SID}\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• System Root%\RECYCLER\{random SID}\rundll32.exe

It creates the following folders:

• System Root%\RECYCLER\{random SID}

It injects itself into the following processes as part of its memory residency routine:

• EXPLORER.EXE

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = %System Root%\RECYCLER\{random SID}\rundll32.exe

Propagation

This worm creates the following folders in all removable drives:

• system32

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• Ares Galaxy
• BearShare
• DC++
• eMule
• eMule Plus

It drops copies of itself into all the removable drives connected to an affected system.

It drops the following copy(ies) of itself in all removable drives:

• system32/rundll.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun
;{garbage characters}
open=system32/rundll.exe
;{garbage characters}
:nop
;{garbage characters}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage characters}
action=Open folder to view files using Windows Explorer
;{garbage characters}
shell\open\command=system32/rundll.exe
;{garbage characters}
shell\explore\command=system32/rundll.exe
;{garbage characters}
useautoplay=1
;{garbage characters}
[AutoRun]
:END

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following command(s) from a remote malicious user:

• Perform DDoS attacks
• Download and execute files from a remote server
• Spread via shared folders and P2P networks
• Spread via MSN network
• Perform port scanning

It connects to the following websites to send and receive information:

• {BLOCKED}ws.org
• {BLOCKED}lness.co
• ns3.{BLOCKED}in.org

Information Theft

This worm gathers the following information on the affected computer:

• System information
• Mozilla Firefox account information
• Protected Storage credentials