Threat Encyclopedia

WORM_PROLACO.AA

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

High

Description: 

This worm creates folders. It drops copies of itself. It drops files/components. It adds key(s) as part of its installation routine.

It creates registry entries to enable its automatic execution at every system startup.

It creates registry key(s)/entry(ies). It modifies registry key(s)/entry(ies) as part of its installation routine.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It terminates certain processes, if found running in memory.

It drops component files.

Read more about this theat incident on the Malware Blog entries and hi5 Spam Invites Users to Download a Worm.

For additional information about this threat, see:

Description created: Feb. 11, 2010 9:09:23 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 419,328 Bytes

Initial samples received on: Feb 11, 2010

Related toWORM_SPYBOT.MCS

Payload 1: Terminates processes

Payload 2: Drops files

Details:

Installation

This worm creates the following folder:

  • %User Profile%\Application Data\SystemProc

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003. )

It drops the following copy of itself:

  • %System%\GoogleUpte.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

It drops the following files/components:

  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files. )

It adds the following keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Google5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Google5

Autostart Techniques

This worm creates the following registry entry to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Run
Google Update5 = "%System%\GoogleUpte.exe"

Other System Modifications

This worm creates the following registry keys/entries:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Explorer
google10 = "{number}"

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Explorer
google11 = "{number}"

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Policies\
SYSTEM
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
DeleteFlag = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,
00,00,00,00,00,00,00,00,00,00,00,b8,0b,00,00,"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\GoogleUpte.exe = "%System%\GoogleUpte.exe:*:Enabled:Explorer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
DeleteFlag = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,
00,00,00,00,00,00,00,b8,0b,00,00,"

It modifies the following registry keys/entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\ERSvc
Start = "4"

(Note: The default value data for the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data for the said registry entry is 2.)

Propagation via Email

It sends email messages containing a copy of itself to email addresses gathered from the system.

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains the following strings:

[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%System Root%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

Process Termination

This worm terminates the following process, if found running in memory:

  • MCAGENT.EXE

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located. )

Dropping Routine

This worm drops the following component file:

  • %User Profile%\Application Data\SystemProc\lsass.exe - detected as WORM_SPYBOT.MCS

It also drops the file googlebuzz.exe in the Windows System folder which then drops a copy of itself as %User Profile%\Application Data\SystemProc\lsass.exe. The file googlebuzz.exe will then be deleted after execution.

Other Details

This worm connects to the following Web site to check the affected machine's IP address:

  • http://{BLOCKED}myip.com/automation/n09230945.asp

The IP address is used to check for other system information, including the user's current domain name.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP and Server 2003.

Analysis By: Jessa De La Torre

Revision History:

First pattern file version: 6.888.05
First pattern file release date: Mar 02, 2010

SOLUTION


Minimum scan engine version needed: 8.900

Pattern file needed: 6.897.00

Pattern release date: Mar 5, 2010


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

 Step 1: Remove malware files related to WORM_PROLACO.AA  

 Step 2: Identify and terminate files detected as WORM_PROLACO.AA  [learn how]

*Note:

  1. For Windows 98 and ME users, Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

 Step 3:  Delete this registry key  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft
    • Google5
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
    • Google5

 Step 4:  Delete this registry value  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
    Windows\CURRENTVERSION\Explorer
    • google10 = "{number}"
    • google11 = "{number}"
  • In HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\
    Windows\CURRENTVERSION\Run
    • Google Update5 = "%System%\GoogleUpte.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
    Windows\CURRENTVERSION\Policies\
    SYSTEM
    • EnableLUA = "0"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\ERSvc
    • DeleteFlag = "1"
    • FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,
      00,00,00,00,00,00,00,b8,0b,00,00,"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\
    List
    • %System%\GoogleUpte.exe = "%System%\GoogleUpte.exe:*:Enabled:Explorer"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\wscsvc
    • DeleteFlag = "1"
    • FailureActions = "hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,00,
      00,00,00,00,00,00,00,b8,0b,00,00,"

 Step 5:  Restore this modified registry value  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\ERSvc
    • From: Start = "4"
      To: Start = "2"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\wscsvc
    • From: Start = "4"
      To: Start = "2"

 Step 6: Search and delete these files  [learn how]

*Note: There may be some component files that are hidden. Please make sure you uncheck Hide protected operating system files in Folders Option>View tab, and then check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
  • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

 Step 7: Search and delete this folder  [learn how]

*Note: Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden folders in the search result.

  • %User Profile%\Application Data\SystemProc

 Step 8: Search and delete AUTORUN.INF files created by WORM_PROLACO.AA that contain these strings  [learn how]

    [autorun]
    open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
    icon=%System Root%\system32\SHELL32.dll,4
    action=Open folder to view files
    shell\open=Open
    shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
    shell\open\default=1

 Step 9: Scan your computer with your Trend Micro product to delete files detected as WORM_PROLACO.AA  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on