Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs
Win32/Vundo.
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Installation
Worm:Win32/Prolaco.gen!C creates the following files upon execution:
<system folder>\jucshed.exe --> a copy of the worm
<system folder>\javase11.exe --> detected as Trojan:Win32/Vundo.KO
<system folder>\<random>.dll --> detected as Trojan:Win32/Vundo.gen!AJ
It modifies the registry to execute its copy at each Windows start:
Adds value: "Sun Java Updater v7.11"
With data: "<system folder>\jucshed.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spreads Via…
E-mail
Win32/Prolaco.gen!C gathers e-mail addresses to send itself to from files on the affected machine with the following extensions:
.doc
.htm
.pdf
.chm
.txt
The worm avoids collecting e-mail addresses with the following strings:
abuse
accoun
acd-group
acdnet.com
acdsystems.com
acketst
admin
ahnlab
alcatel-lucent.com
anyone
apache
arin.
avira
berkeley
bitdefender
bluewin.ch
borlan
bpsoft.com
buyrar.com
certific
cisco
clamav
contact
debian
drweb
eset.com
example
f-secure
feste
firefox
ghisler.com
gold-certs
honeynet
honeypot
ibm.com
icrosof
icrosoft
idefense
ikarus
inpris
isc.o
isi.e
jgsoft
kaspersky
kernel
lavasoft
linux
listserv
mcafee
messagelabs
mit.e
mozilla
mydomai
nobody
nodomai
noone
nothing
novirusthanks
ntivi
nullsoft.org
panda
postmaster
prevx
privacy
qualys
quebecor.com
rating
redhat
rfc-ed
ruslis
samba
samples
secur
security
sendmail
service
slashdot
somebody
someone
sopho
sourceforge
ssh.com
submit
sun.com
support
syman
sysinternals
tanford.e
the.bat
usenet
utgers.ed
virus
virusbuster
webmaster
winamp
wireshark
www.ca.com
The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco.gen!C uses the following strings as a prefix to guess the mx record:
mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s
ns.%s
gate.%s
E-mail messages are generated by the worm and sent to the collected e-mail addresses. Messages may be in the following or similar format:
From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment postcard.exe
(Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.)
P2P File Sharing Networks
Win32/Prolaco.gen!C copies itself to the following shared folders of popular peer-to-peer file sharing applications:
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\winmx\shared\
C:\Downloads\
The worm may create copies of itself in these folders with the following enticing filenames:
Absolute Video Converter 6.2.exe
Ad-aware 2009.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Avast 4.8 Professional.exe
AVS video converter6.exe
BitDefender AntiVirus 2009 Keygen.exe
CheckPoint ZoneAlarm And AntiSpy.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
DVD Tools Nero 9 2 6 0.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Grand Theft Auto IV (Offline Activation).exe
Internet Download Manager V5.exe
K-Lite codec pack 3.10 full.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
Microsoft Office 2007 Home and Student keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft.Windows 7 Beta1 Build 7000 x86.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 9.62 International.exe
PDF password remover (works with all acrobat reader).exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Smart Draw 2008 keygen.exe
Sony Vegas Pro 8 0b Build 219.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe
Removable Drives
Win32/Prolaco.gen!C copies itself to the following location on removable drives:
<drive:>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
It then creates '<drive:>\Desktop.ini' so that the icon for removable drives appears as a folder icon when viewed in Windows Explorer. The worm creates '<drive:>\Autorun.inf' which launches the worm copy when the removable drive is attached to a computer that has Autoplay enabled. In addition, the icon for the worm appears as a "closed folder" or file folder when viewed in Windows Explorer.
Web Servers
If the worm infects a computer that is running IIS, it attempts to replace the legitimate Web root or Index file stored in the folder '%root%\inetpub\wwwroot\index.htm' with a page containing the following message:
Security warning!
Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following MS09-067 hotfix in order to be able to watch this website.
'MS09-067' is a hyperlink to a dropped copy of the worm, for example:
'%root%\inetpub\wwwroot\ms09-067.exe'.
Payload
Lowers Security Settings
Win32/Prolacto.gen!C makes the following changes to an infected system which results in lowered security settings:
Deletes Files
Worm:Win32/Prolaco.gen!C searches for the installation directory of the file Mcshield.exe by looking at the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVEngine\szInstallDir
If found, it deletes this file. This file may be related to McAfee security software.
Additional Information
Win32/Prolaco.gen!C connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine. The worm may also query the following web sites to obtain further information:
gin.ntt.net
whois.ripe.net
whois.afrinic.net
whois.v6nic.net
whois.nic.or.kr
whois.apnic.net
whois.nic.ad.jp
whois.arin.net
whois.lacnic.net
whois.nic.br
whois.twnic.net
rwhois.gin.ntt.net
Analysis by Elda Dimakiling