Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

WORM_PALEVO

ANALYSIS BY

Karl Dominguez


ALIASES:

Rimecud, Pilleuz, Palevo

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via peer-to-peer networks, Propagates via removable drives, Propagates via instant messaging applications


PALEVO malware are worms known to be part of the Mariposa botnet. These worms are known to arrive via three different means: peer-to-peer (P2P) sharing programs such as Kazaa and Limewire, instant messengers like MSN Messenger, and via removable drives.

PALEVO malware are basically downloaders but can perform several other malicious routines such as stealing login credentials and other online-banking-related information, as well as corporate and personal data. It can also initiate distributed denial of service (DDoS) attacks.

PALEVO malware also connect to specific sites to send and receive commands from C&C servers. Commands it can execute range from downloading files, scanning ports, and performing DDoS attacks against target addresses.

In addition, PALEVO malware also use different encryption techniques to hide their main executable files. They typically act as bot toolkits with modularized functions and are sold in the underground market.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information, Compromises system security

Installation

This worm drops the following non-malicious files:

  • %System Root%\RECYCLER\{SID}\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • {drive letter}\{random foldername}/{random file name}.exe
  • %Application Data%\{random file name}.exe
  • %System Root%\RECYCLER\{SID}\{random file name}.exe
  • %User Profile%\{random file name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %System Root%\RECYCLER\{SID}
  • {drive letter}\{random folder name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%User Profile%\{random filename}.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = “%Application Data%\{random filename}.exe "

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.155.190/omv/petrol80.exe
  • {BLOCKED}.{BLOCKED}.190.237
  • {BLOCKED}bam.info
  • banana.{BLOCKED}nds.su
  • {BLOCKED}rystorm.net
  • jebena.{BLOCKED}olic.su
  • juice.{BLOCKED}cala.org
  • l33t.{BLOCKED}othes.net
  • {BLOCKED}dcast.com
  • murik.{BLOCKED}tection.net.ru
  • {BLOCKED}ucks.com
  • peer.{BLOCKED}losarske.ru
  • pica.{BLOCKED}cke-ljepotice.ru
  • portal.{BLOCKED}werbord.com
  • sandra.{BLOCKED}nica.com
  • shohtha3.{BLOCKED}a.com
  • slade.{BLOCKED}enumber.com
  • teske.{BLOCKED}rke.com
  • {BLOCKED}ize.com
  • world.{BLOCKED}udio.ru

Featured Stories

Connect with us on