JS_PROSLIKE.A

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\{random folder name}\{random file name}.js
• %Program Files%\{random folder name}\{random file name}.js
• %User Temp%\{random file name}.js
• %User Temp%\cracked\cracked.js
• %User Temp%\{random file name}.zip (compressed malware copy)

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %System Root%\{random folder name}
• %Application Data%\{random folder name}
• %Program Files%\{random folder name}
• %User Temp%\cracked\

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%Application Data%\{random folder name}\{random file name}.js"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntivirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
NoDispCPL = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableCMD = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableTaskMgr = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Windows NT\CurrentVersion
SystemRestoreDisableSR = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsft\Internet Explorer\Control Panel
HomePage = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontReportInfectionInformation = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\System Restore
DisableConfig = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoControlPanel = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
"NofolderOptions" = "1"

HKEY_CURRENT_USER\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoWindowsUpdate = "1"

HKEY_CURRENT_USER\Policies\Microsoft\
Internet Explorer\Control Panel
HomePage = "1"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntivirusDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdateDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntivirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is 2.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
MigrateProxy = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
ProxyEnable = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
ParseAutoExec = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• %Program Files%\ares\my shared folder
• %Program Files%\bearshare\shared
• %Program Files%\edonkey2000\incoming
• %Program Files%\emule\incoming
• %Program Files%\grokster\my grokster
• %Program Files%\icq\shared folder
• %Program Files%\kazaa lite k++\my shared folder
• %Program Files%\kazaa lite\my shared folder
• %Program Files%\kazaa\my shared folder
• %Program Files%\limewire\shared
• %Program Files%\morpheus\my shared folder
• %User Profile%\My Documents\FrostWire\Shared
• %Program Files%\tesla\files
• %Program Files%\winmx\shared

(Note: %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copy of itself in all physical and removable drives:

• {drive letter}:\{random file name 2}.js

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[autorun]
{garbage characters}
open={random file name}.js
{garbage characters}
shellexecute={random file name}.js
{garbage characters}
shell\open\command={random file name}.js
{garbage characters}
shell\explore\command={random file name}.js
{garbage characters}

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• sdasetup
• rstrui
• fiddler
• wuauclt
• autoruns
• avast
• tcpview
• clean
• hotfix
• reged
• regmon
• unlocker
• msconfig
• minitool
• filemon
• procexp
• rubotted
• perfmon
• procmon
• ptinstall
• issetup
• resmon
• wireshark
• sysclean
• unescape
• mse
• msss
• gmer
• escape
• housecall
• avenger
• hijack
• mbsa

Information Theft

This worm gathers the following data:

• CPU
• OS
• GPU
• Cookie data
• AV software
• Web Browser settings

Stolen Information

This worm sends the gathered information via HTTP POST to the following URL:

• {BLOCKED}37.net:80/r/
• {BLOCKED}37.net:80/u/
• {BLOCKED}37.net:80/k/

Other Details

This worm performs DNS requests to the following sites:

• cwmods.com
• redditgifts.com
• ssl.redditgifts.com
• store.sony.com
• hasbro.com
• nytimes.com
• theguardian.com
• wowhead.com
• eqinterface.com
• se.reddit.com
• firstthings.com
• as.reddit.com
• blog.us.playstation.com
• tampabay.com
• pathgather.com
• bbc.co.uk
• c.moreover.com
• itv.com
• takaratomy.co.jp
• torchlightarmory.com
• api.nanigans.com
• radioreddit.com
• imgur.com
• redd.it
• nnh42.name
• hearthead.com
• mcall.com
• rappler.com

NOTES:

This worm drops .ZIP files into folders used in peer-to-peer (P2P) applications. These .ZIP files that contain the compressed copy of the malware use the following names:

• Acronis True Image 2015 18.0 Build 6525 ITA.zip
• Adobe Photoshop CC v15.2.1 [2014 ](x64x32)Portable-Multilingual.zip
• Adobe Photoshop CC v15.2.1_Multilingual(32 bit 64)Portable. Fina.zip
• Adobe Photoshop Lightroom 5.6 Final RePack.zip
• ADOBE.PHOTOSHOP.CC.2014.X32.X64.MULTILINGUAL.PORTABLE-PAF.zip
• Ashampoo WinOptimizer 11.00.50 +Activation.zip
• AwakenOSv811.iso.zip
• BlueStacks Rooted Version 0.9.6.4092 Modded [ENGLISH]=Dubs=.zip
• CCleaner 5.0.0.5050 the Newest version (2015) Fully Activated.zip
• Circuit Wizard Paid.zip
• Fate Stay Night.zip
• Folder Lock 6.2.4 with serial 100% working the best one ever .zip
• GEGeek_Toolkit82.7z.zip
• Internet Download Manager 6.21 Build 16 [REiS][JUHAX69X].zip
• Jeppview 1425.zip
• Kaspersky Internet Security 2015 (License Valid till 11-9-2015) .zip
• Kaspersky Internet Security 2015 Trial Reset By Underground Acce.zip
• K-Lite Codec Pack 10.87 (Full).zip
• K-Lite Codec Pack 10.88 (Full).zip
• KMSpico v10.0.4 (Office and windows activator) [TechTools].zip
• KMSpico v10.0.4 + Portable-P2P ~{B@tman}.zip
• KMSpico v10.0.4.zip
• Microsoft Desktop Optimization Pack (MDOP) 2014 R2 12-4-14.zip
• Microsoft Dynamics CRM 2015 MSDN 12-01-14.zip
• Microsoft Dynamics GP 2015 MSDN 12-01-14.zip
• Microsoft Dynamics SL 2015 MSDN 10-7-14.zip
• Mixamo Fuse Universal Character Creator 1.3 Windows.zip
• Notepad++.zip
• OS X Yosemite For AMD [USB Bootable] dmg.zip
• OS X Yosemite For AMD [USB Bootable].zip
• Paragon Disk Wiper 15 Pro 10.1.25.328 WinPE BootCD x64 [JUHAX69X.zip
• Paragon Partition Manager 15 Professional 10.1.25.377 (x86-x64).zip
• Paragon Partition Manager 15 Professional 10.1.25.377.000.zip
• Passcape Software Reset Windows Password 4.1.0 Advanced Edition.zip
• Passcape Software Reset Windows Password 5.0.0.535 Advanced Edit.zip
• Passware Kit Forensic 13.5.8557 + Serial.zip
• Process-Hacker .v2.0.zip
• PT Photo Editor 2.1.2 Standard Edition [JUHAX69X].zip
• RESOURCES PARA MASTERCAM X7 EN ESPAÑOL.zip
• Schoolhouse Technologies Vocabulary Worksheet Factory 5.0.20.4 _.zip
• SDL Trados 2007 Suite Pro SP3.zip
• SiSoftware Sandra Business 2015.01.21.10 + Keygen-FFF [ATOM].zip
• Sothink Logo Maker Professional 4.4 Build 4595 + Crack (2015) 10.zip
• Sveriges_dodboks_1901-2013.exe.zip
• USGS Topographic Maps Library - Alaska.zip
• wallet bitcoin Electrum-1.9.8 (32bit 64bit).zip
• WebDrive V12.10.4082 32-bit & 64-bit.zip
• Windows 7 AIO ESD x86 x64 [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
• Windows 7 x64 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
• Windows 7 x86 VL [PL] [SP1.IE11.Listopad.2014-NiKKA].zip
• Windows 8 x64 bits PC.zip
• Windows 95C OSR 2.5 Swe.zip
• Windows 95C OSR 2.5 Swe .zip
• Windows XP Pro SP3 Lite v1.1 +Post Updates +WiFi +dotNetFx +Fire.zip
• Windows7.USB.Downol.with.Image.Mastering.API.v2.for.WinXP.zip.zip
• winrar 5.2 (32+64)Bit registered NO Serial or CRACK need.zip
• winrar 5.2 (32bit+64bit) registered version does not need to cra
• WinUtilities 11.27[SSolution]
• WinX DVD Ripper Platinum 7.5.11 Build 04122014 + Keys [ATOM]

It drops .ZIP-compressed copies of itself containing the following:

• {zip file path}\cracked
• {zip file path}\cracked\cracked.js (copy)

It searches for cookies related to the following sites:

• sourceforge
• stackoverflow
• amazon
• simplemachines
• linkedin
• youtube
• blogspot
• googleusercontent
• yahoo
• quantcast
• wordpress
• twitter
• wikipedia
• google
• github
• gravatar
• googleapis
• myspace
• reference
• blogger
• facebook
• addthis
• dictionary
• pinterest
• friendster
• phpbb
• conduit
• windows
• torrent

It checks for the following antivirus-related software:

• Kaspersky Lab
• Avira
• Comodo
• Sophos
• AVG
• Alwil Software
• ESET
• Webroot
• AVAST Software
• Bitdefender
• F-Secure
• Panda Security
• Trend Micro
• Malwarebytes' Anti-Malware
• Symantec
• Spyware Doctor

It creates a randomly named .ZIP file and copies it to directory used by the FTP client Filezilla.

It connects to randomly generated URLs using domains such as the following:

• .biz
• .net
• .com
• .info
• .name
• .org
• .ru