WORM_PROLACO.AI

 Analysis by: Kathleen Notario

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


This worm arrives as attachment to mass-mailed email messages. It arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

522,752 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

22 Nov 2011

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

It arrives via removable drives.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

  • %User Profile%\Application Data\SystemProc\lsass.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System%\HPWuSchde.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HP Software Updater v1.0 = %System%\HPWuSchde.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
hk1 = {month of execution}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
hk2 = {day of execution}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
%System%\HPWuSchde.exe = %System%\HPWuSchde.exe:*:Enabled:Explorer

It adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\HP10

HKEY_LOCAL_MACHINE\SOFTWARE\HP10

Propagation

This worm creates the following folders in all removable drives:

  • {drive letter}:\RECYCLER
  • {drive letter}:\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542

It drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://{BLOCKED}myip.com/automation/n09230945.asp

Related Malware