P2P-Worm.Win32.Palevo.a
From Total Malware Info
|
P2P-Worm.Win32.Palevo.a
|
|
|
Last edited: |
18.8.2010 |
It is a Trojan, which provides an attacker with remote access to the infected computer, it uses catalogs of file-sharing P2P-networks to distribute itself. It is a Windows application (PE-EXE file).Its size is about 104,448. It is packed with an unknown packer. Its unpacked size is about 108 KB. It is written in C++.
Installation
It creates a copy of its file in the following directory:
%AppData%\iptyr.exe
It applies the attribute "hidden" to the file.
In order to start automatically each time you start the system, the Trojan creates the link to its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "%AppData%\iptyr.exe"
Payload
To simulate the legitimacy of the Trojan file it contains false information about the file:
The Trojan performs injection of a malicious code into the process called "explorer.exe" and then exits.
The malicious code, embedded in the process, performs the following actions:
-
It copies the worm's body to all available for writting network and removable drives under the name "kromirani.exe":
<X>:\dupler\kromirani.exe
Here <X> is a network or removable drive letter. The directory attribute containing a trojan's copy is set to "hidden". Also it puts in the root directory the accompanying file:<X>:\autorun.inf
which runs an executable file of worm's copy each time the user opens the infected partition using Windows Explorer. -
It adds a link to its executable file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "%AppData%\iptyr.exe"
-
It provides a functionality of a backdoor. To do so, it connects to the remote hosts:
prcolina.prichaonica.com kreten.banjalucke-ljepotice.ru sombrero.balkan-hosting.net 84.19.165.194
%Temp%\<rnd2>.exe
here <rnd2> is a random number.
It has ability to save downloaded files with names "Crack.exe" and "Keygen.exe" in file-sharing directories of P2P-networks, which are located on the local machine, as well as in the catalog:
%ALLUSERSPROFILE%\Local Settings\Application Data\Ares\My Shared Folder
The file-sharing directories of P2P-networks are obtained by analyzing the system registry key parameters:
[HKCU\Software\BearShare\General] [HKCU\Software\iMesh\General] [HKCU\Software\Shareaza\Shareaza\Downloads] [HKCU\Software\Kazaa\LocalContent] [HKCU\Software\DC++] [HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule Plus_is1]
At the command of the attacker it also can substitute the file "hosts":
%System%\etc\hosts
It also has the ability to perform a DoS-attack on a server, specified by the attacker.
At the time of writing, the Trojan downloaded its updated version at the following URL:
http://188.165.155.244/bojim/529.exe
The Trojan sends visited web-sites' names and saved passwords to the attacker's address, if a user uses the following browsers:
Mozilla Firefox Internet Explorer Opera
Removal Instructions
If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:
- Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
-
Terminate the process using Windows Task Manager:
explorer.exe
-
Delete the following files:
%AppData%\iptyr.exe <X>:\dupler\kromirani.exe <X>:\autorun.inf
- Delete files from the temporary directory of the current user using the following mask:
%Temp%\<rnd2>.exe
Here <rnd2> is a random number. - Remove the system registry key's value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Taskman" = "%AppData%\iptyr.exe"
-
If necessary, restore the contents of the file:
%System%\etc\hosts
to the following:127.0.0.1 localhost
-
Clean the Temporary Internet Files directory:
%Temporary Internet Files%
- Perform a full system scan using an antivirus with updated anti-virus databases (download a trial version).
You can order a description for any computer malware, virus, trojan or worm.
