WORM_PALEVO.SAN

It drops copies of itself into folders used in certain peer-to-peer applications.

This worm arrives via removable drives. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

It gathers certain information on the affected computer.

Arrival Details

This worm arrives via removable drives.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following non-malicious files:

• %System Root%\RECYCLER\S-1-5-21-7136771794-0781154526-587386796-3468\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

• %System Root%\RECYCLER\S-1-5-21-7136771794-0781154526-587386796-3468\nissan.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\RECYCLER
• %System Root%\RECYCLER\S-1-5-21-7136771794-0781154526-587386796-3468
• {removable drive}:\RAZLOG

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It is injected into the following processes running in memory:

• EXPLORER.EXE

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = %System Root%\RECYCLER\S-1-5-21-7136771794-0781154526-587386796-3468\nissan.exe

Propagation

This worm creates the following folders in all removable drives:

• RAZLOG

It drops the following copy(ies) of itself in all removable drives:

• RAZLOG\zaljubljeni.exe

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun
;{garbage}
open=RAZLOG///zaljubljeni.exe
;{garbage}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage}
action=Open folderáto view files usingáWindowsáExplorer
;{garbage}
Shell\open\\command=RAZLOG///zaljubljeni.exe
;{garbage}
shell\explore\command=RAZLOG///zaljubljeni.exe
;{garbage}
USEAUTOPLAY=1
;{garbage}

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• Perform DDoS attacks
• Download and execute files from a remote server
• Spread via shared folders and P2P networks
• Spread via MSN network
• Perform port scanning

It connects to the following websites to send and receive information:

• {BLOCKED}.prichaonica.com
• pica.{BLOCKED}ucke-ljepotice.ru
• l33t.{BLOCKED}clothes.net

Information Theft

This worm gathers the following information on the affected computer:

• System information
• Mozilla Firefox account information
• Protected Storage credentials

Other Details

This worm does the following:

• Drops copies of itself into folders used for the following peer-to-peer applications:
  
  • Ares Galaxy
  • BearShare
  • DC++
  • eMule
  • eMule Plus
  • iMesh
  • Shareaza
  • Kazaa
  • DC++
  • Limewire