WORM_PANOIL.C

Malware type: Worm

Aliases: Email-Worm.Win32.Panoil.e (Kaspersky), W32/Generic.a@MM (McAfee), W32.Panol@mm (Symantec), Worm/Panoil.E (Avira), W32/Panoil-C (Sophos), Worm:Win32/Panolis.A@mm (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm uses Microsoft Outlook to send copies of itself to all email addresses found in the Outlook Address Book. The email message it sends out has the following characteristics:

Subject: Contact Information
Message Body:
tries to repair the infected mail messages; removes messages in case they are unrepairable.
Attachment: Mail_Check.exe

It also drops a malicious VBScript file named PAKET.VBS in the root folder of the drive C. Detected as VBS_PANOIL.C, it contains codes to issue a Denial of Service attack against www.ttnet.tr.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Sep. 4, 2003 7:06:58 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 20,480 Bytes (compressed)
31,232 Bytes (uncompressed)

Initial samples received on: Sep 4, 2003

Related toVBS_PANOIL.C

Payload 1: Change Internet Explorer Start Page

Trigger condition 1: Upon execution

Details:

Installation

Upon execution, this memory-resident worm drops a copy of itself as Mail_Check.exe in the root folder of drive C and in the Windows folder.

Autorun Technique

It then creates the following registry entry to ensure that it runs at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Mail_Check = �%Windows%\Mail_Check.exe�

(Note: %Windows% refers to the default Windows folder, which is C:\Windows for Windows 95, 98, ME, and XP, and C:\WINNT for Windows NT, and 2000.)

On Windows 95, 98, and ME systems, this worm adds an entry under the [windows] section of WIN.INI as follows:

Run=%Windows%\ Mail_Check.exe

This process enables the worm to run at every Windows startup.

Other Registry Modifications

It also creates this registry entries, which serves as its infection marker:

HKEY_CURRENT_USER\Software\Microsoft\Infected
Name = "Panolili"
Possessor

In addition, this malware drops a malicious Visual Basic (VB)Script file as PAKET.VBS in the root folder of drive C. It contains codes to issue a Denial of Service attack against www.ttnet.tr. This script is detected byt Trend Micro as VBS_PANOIL.C.

Mass-mailing Routine

Once the worm is active in memory, it uses the Mail Application Programming Interface (MAPI) of Microsoft Outlook to send copies of itself to all email addresses found in the Outlook Address Book. The email message it sends out has the following details:

Subject: Contact Information
Message Body:
tries to repair the infected mail messages; removes messages in case they are unrepairable.
Attachment: Mail_Check.exe

Other Details

This worm changes the Internet Explorer Main Page to:
http://www.ankara.edu.tr.

It is UPX-compressed, and is written and compiled in Visual Basic.




Analysis by: Erwin Varona


SOLUTION


Minimum scan engine version needed: 6.100

Pattern file needed: 1.627.14

Pattern release date: Sep 4, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:
AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_PANOIL.C.

Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Mail_Check = �%Windows%\Mail_Check.exe�
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Removing Other Malware Entries from the Registry

  1. Still in the left panel, double-click the following:
    HKEY_CURRENT_USER\Software\Microsoft
  2. Locate and delete the following registry key:
    Infected
  3. Close registry editor.

Removing Autostart Entries from System Files

A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

  1. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
  2. Select the WIN.INI window.
  3. Under the [windows] section, locate the lines that begin with:
    run =
  4. From the same lines, delete the malware path and filename:
    �%Windows%\Mail_Check.exe�
  5. Close System Configuration Editor and click Yes when prompted to save.

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer homepage and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel.
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
  5. Click the �Reset Web Settings�� button.
  6. Select �Also reset my home page.� Click Yes.
  7. Click OK.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_PANOIL.C and VBS_PANOIL.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.