WORM_PROLACO.AT

This worm arrives as attachment to mass-mailed email messages. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\HPWuSchedv.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm drops the following files:

• %System%\hp-513.exe - detected as TROJ_HILOTI.CI

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\\HPWuSchedv.exe = %System%\HPWuSchedv.exe:*:Enabled:Explorer

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

Propagation

This worm avoids sending email messages to addresses containing the following strings:

• berkeley
• mit.e
• ibm.com
• debian
• kernel
• linux
• usenet
• rfc-ed
• sendmail
• arin.
• sun.com
• isi.e
• isc.o
• secur
• acketst
• apache
• tanford.e
• utgers.ed
• mozilla
• firefox
• redhat
• sourceforge
• slashdot
• samba
• cisco
• syman
• panda
• avira
• f-secure
• sopho
• www.ca.com
• ahnlab
• novirusthanks
• prevx
• drweb
• bitdefender
• clamav
• eset.com
• ikarus
• mcafee
• kaspersky
• virusbuster
• badware
• immunityinc.com
• avg.comsysinternals
• borlan
• inpris
• lavasoft
• jgsoft
• ghisler.com
• wireshark
• winpcap
• acdnet.com
• acdsystems.com
• acd-group
• bpsoft.com
• buyrar.com
• bluewin.ch
• quebecor.com
• alcatel-lucent.com
• ssh.com
• winamp
• nullsoft.org
• example
• mydomai
• nodomai
• ruslis
• virus
• messagelabs
• honeynet
• honeypot
• security
• idefense
• qualys
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• rating
• contact
• somebody
• privacy
• service
• submit
• sales
• gold-certs
• the.bat
• admin
• icrosoft
• support
• ntivi
• linux
• listserv
• websense
• certific
• security
• secur
• abuse

Rootkit Capabilities

This worm also has rootkit capabilities, which enables it to hide its processes and files from the user.

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• Almon.exe
• ALSvc.exe
• APvxdwin.exe
• ashdisp.exe
• ashserv.exe
• avcenter.exe
• avciman.exe
• AVENGINE.exe
• avgcsrvx.exe
• avgemc.exe
• avgnt.exe
• avgrsx.exe
• avgtray.exe
• avguard.exe
• avgui.exe
• avgwdsvc.exe
• avp.exe
• bdagent.exe
• bdss.exe
• CCenter.exe
• drweb32w.exe
• drwebupw.exe
• egui.exe
• ekrn.exe
• emproxy.exe
• FPAVServer.exe
• FprotTray.exe
• FPWin.exe
• guardgui.exe
• HWAPI.exe
• iface.exe
• isafe.exe
• K7EmlPxy.exe
• K7RTScan.exe
• K7SysTry.exe
• K7TSecurity.exe
• K7TSMngr.exe
• livesrv.exe
• mcagent.exe
• mcmscsvc.exe
• McNASvc.exe
• mcods.exe
• mcpromgr.exe
• McProxy.exe
• Mcshield.exe
• mcsysmon.exe
• mcvsshld.exe
• MpfSrv.exe
• mps.exe
• mskagent.exe
• msksrver.exe
• NTRtScan.exe
• Pavbckpt.exe
• PavFnSvr.exe
• PavPrSrv.exe
• PAVSRV51.exe
• pccnt.exe
• PSCtrlS.exe
• PShost.exe
• PsIMSVC.exe
• psksvc.exe
• Rav.exe
• RavMon.exe
• RavmonD.exe
• RavStub.exe
• RavTask.exe
• RedirSvc.exe
• SavAdminService.exe
• SavMain.exe
• SavService.exe
• sbamtray.exe
• sbamui.exe
• seccenter.exe
• spidergui.exe
• SrvLoad.exe
• TmListen.exe
• TPSRV.exe
• vetmsg.exe
• vsserv.exe
• Webproxy.exe
• xcommsvr.exe

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• www.whatismyip.com/automation/n09230945.asp

It does the following:

• This worm uses its own Simple Mail Transfer Protocol (SMTP) engine to send email messages with a copy of itself as attachment. It attempts to determine the SMTP Simple Mail Transfer Protocol (SMTP) server of the affected system by using the gathered domain name and the prefixes (mx,mail, smtp) It harvests email addresses from files with the following extensions:.txt, .htm, .xml,.php,.asp,.dbx,.log,.nfo,.lst, .rtf,.xml,.wpd,.wps,.xls,.doc, and.wab The email messages it sends out bear the following details: mx1 mxs mail1 relay ns gate It checks the location of the Windows Address Book by querying the following registry key: HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name