WORM_PROLACO.C

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Infection Channel 1 : Propagates via peer-to-peer networks


Infection Channel 2 : Propagates via removable drives


Description: 

This worm drops copies of itself.

It creates registry entries to enable its automatic execution at every system startup.

It creates registry key(s)/entry(ies).

It drops copies of itself in folders used in peer-to-peer networks. It drops copies of itself in folders whose names contain certain strings.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It connects to Web sites.

For additional information about this threat, see:

Description created: Feb. 18, 2009 1:22:44 AM GMT -0800


TECHNICAL DETAILS


File type: EXE

Memory resident:  Yes

Size of malware: 303,616 Bytes

Initial samples received on: Feb 17, 2009

Payload 1: Connects to a URL

Details:

Installation

This worm drops the following copy(ies) of itself:

  • %System%\javarun.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

Autostart Techniques

This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Sun Java Updater v5.1 = "%system%\javarun.exe"

Other System Modifications

This worm creates the following registry key(s)/entry(ies):

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer
javastation3 = "01"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer
ultrasparc3 = "06"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Webcheck
tcpack = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Webcheck
tcpfin = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Webcheck
tcpsyn = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Webcheck
tcpurg = "1"

Propagation via Peer-to-peer Networks

This worm drops copies of itself in folder(s), which is(are) used in peer-to-peer networks and whose names contain the following strings:

  • Downloads
  • Emule
  • Grokster
  • ICQ
  • Limewire
  • Morpheus
  • Tesla
  • WinMX

It drops copies of itself in folders whose file name can be any of the following:

  • Absolute Video Converter 6.2.exe
  • Acker DVD Ripper 2009.exe
  • Ad-aware 2008.exe
  • Adobe Acrobat Reader keygen.exe
  • Adobe Photoshop CS4 crack.exe
  • BitDefender AntiVirus 2009 Keygen.exe
  • Daemon Tools Pro 4.11.exe
  • Download Accelerator Plus v8.7.5.exe
  • Internet Download Manager V5.exe
  • LimeWire Pro v4.18.3.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Motorola, nokia, ericsson mobil phone tools.exe
  • Myspace theme collection.exe
  • Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
  • Norton Anti-Virus 2009 Enterprise Crack.exe
  • Opera 10 cracked.exe
  • Password Cracker.exe
  • Red Alert 3 keygen and trainer.exe
  • Smart Draw 2008 keygen.exe
  • TCN ISO cable modem hacking tools.exe
  • TCN ISO SigmaX2 firmware.bin.exe
  • Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
  • Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
  • Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
  • VmWare keygen.exe
  • WinRAR v3.x keygen RaZoR.exec

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The AUTORUN.INF file contains the following strings:

[Autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

Download Routine

This worm connects to the following Web site(s):

  • http://{BLOCKED}bvzl.com/progs/xckhdrr/agpdue.php?adv=adv634&code1=JNOJ&code2=6173&id=-1399985024&p=1
  • http://{BLOCKED}bvzl.com/progs/xckhdrr/bluivja.php
  • http://{BLOCKED}bvzl.com/progs/xckhdrr/pifccddur
  • http://{BLOCKED}bvzl.com/progs/xckhdrr/xuhlivwj.php?adv=adv634
  • http://{BLOCKED}bvzl.com/uniq.php?id=-1399985024&p=1
  • http://{BLOCKED}e.com/pas/apstpldr.dll.html?affid=171409&uid=&guid=42D1A85F7C5246F0A6BF19F6EB377A83
  • http://{BLOCKED}ley.com/en/SubmitCV/Home
  • http://{BLOCKED}myip.com/automation/n09230945.asp

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, Server 2003.


Analysis By: Erika Mendoza


SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 5.851.00

Pattern release date: Feb 17, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.


 

 Step 1: Identify and terminate files detected as WORM_PROLACO.C  [learn how]

*Note:

  1. For Windows 98 and ME users, Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

 

 Step 2:  Delete this registry value  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    • Sun Java Updater v5.1 = "%system%\javarun.exe"
 

 Step 3:  Delete this registry value  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Explorer
    • javastation3 = "01"
    • ultrasparc3 = "06"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Webcheck
    • tcpack = "1"
    • tcpfin = "1"
    • tcpsyn = "0"
    • tcpurg = "1"
 

 Step 4: Search and delete AUTORUN.INF files created by WORM_PROLACO.C that contain these strings  [learn how]

    [Autorun]
    open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
    icon=%SystemRoot%\SHELL32.dll,4
    action=Open folder to view files
    shell\open=Open
    shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
    shell\open\default=1

 

 Step 5: Scan your computer with your Trend Micro product to delete files detected as WORM_PROLACO.C  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

 
 



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.