P2P-Worm.Win32.Palevo.cvbu
From Total Malware Info
|
P2P-Worm.Win32.Palevo.cvbu
|
|
|
Last edited: |
12.6.2011 |
Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file) application. It is 623616 bytes in size. It is packed by unknown packer. The unpacked size is about 667 Kb. It is written in Delphi.
md5: D78C9132BCF1F000D92FBF8DED4295A7
sha1: 79000F6A22BA11D85B893738947EA3A45187B1A9
Contents |
Installation
Once launched, the worm copies its body to a file:
%ALLUSERSPROFILE%\Application Data\srtserv\< original worm name>
To ensure that the copy created is launched automatically each time the system is rebooted, the following registry keys are created:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original worm name>" [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original worm name>"
Payload
The worm file’s icon is similar to the icon of Windows Explorer folder.
To control the uniqueness of its process the worm creates a unique identifier with the following names:
YCS0mRtQ316
The worm records a path to the original file and the ID of its process:
[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn] "value1" = "original malicious file’s name" "value2" = "process PID"
After that, it extracts from its body and executes the following library:
%ALLUSERSPROFILE%\Application Data\srtserv\sdata.dll
This file is 23552 bytes in size and detected by Kaspersky antivirus as Trojan.Win32.Agent2.decp (md5:374F995DD3D9E5D293C98F0DDAB39618).
This file performs the following actions:
- Creates a unique identifier with the name:
KAENA_HOOK
- Injects a malicious code into all user processes;
The injected malicious code checks registry key values:
[HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn] "value1" "value2"
After that hooks the following functions:
ZwQueryDirectoryFile ZwQuerySystemInformation ZwOpenProcess
The hooks allows the worm to hide a folder with a worm’s copy, malware file and process (a file name and an identifier of the process it gets out of a registry key).
To lock booting in Safe Mode, the worm deletes the contents of the following registry keys:
[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal] [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\NetWork]
It stops the service named "ShellHWDetection".
To implement a backdoor functional it connects to one of the following resources:
http://pu****11.comlu.com http://de****63.110mb.com http://v****rd.freehostia.com http://s****nt-card.ru http://el****t.ru http://ps****bal.com http://ps****gi.dk http://p****ik.freehostia.com
when connection is successfully established the worm may perform the following actions:
1. loading its updated version, with the old malware file renaming by adding the extension ".bak", and then deleting it. The updated version is stored with the name "update.dat" in the following folder:
%ALLUSERSPROFILE%\Application Data\srtserv\update.dat
then renames and launches it for execution.
2. loading a configuration file that may contain references to both malicious resources and the resources to "cheat" rating, while the data is stored in the following file:
%ALLUSERSPROFILE%\Application Data\srtserv\setx.txt
3. the worm contains strings for the utility "Multi Password Recovery", in particular for the hidden launch of this tool and its further use.
The main functionality of this utility is to decrypt passwords for many popular applications (FTP, E-mail clients, Instant messengers, browsers, etc.).
4. downloading other malicious programs and running them for execution.
Propagation
The worm copies its body to all writable network and removable drives connected to the infected computer:
<name of an infected partition>:\<original malicious file’s name>
Together with its copy of the worm puts in the root directory of an infected disk file:
<name of an infected partition>:\autorun.inf
This file is 289 bytes in size and designed to automatically activate the worm when an infected disk is being opening using Explorer.
The attributes "read only", "hidden" and "system" are set to the file.
In addition, the worm copies itself to the names of directories on removable drives, adding to them ".exe" extension:
<name of an infected partition >:\<folder name on a removable disk>.exe
In this case, the attributes "read only", "hidden", "system" are set to the folders as well.
Removal instruction
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
1. Using Kaspersky Rescue Disk 10 (download Kaspersky Rescue Disk) delete the folder and its content:
%ALLUSERSPROFILE%\Application Data\srtserv
2. Boot in a normal mode.
3. Delete the registry keys in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\< original malware name >" [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "srtserv" = "%ALLUSERSPROFILE%\Application Data\srtserv\<original malware name>" [HKCU\Software\Microsoft\Windows\CurrentVersion\MSrtn] "value1" = "original malicious file name" "value2" = "PID process"
4. Clear the Temporary Internet Files directory, which may contain infected files.
5. Perform a full system scan with an antivirus with updated databases.
You can order a description for any computer malware, virus, trojan or worm.
