Win32/Prolaco.gen!B is a generic detection of a worm that spreads via e-mail message attachments, removable drives and shared folders of P2P applications. This worm also lowers security settings and downloads and installs Win32/Vundo.
Installation
When Win32/Prolaco.gen!B is executed, it displays the following embedded image to distract the user that files are being written to the local drive and malware is being installed:
The worm copies itself as '<system folder>\javacpl.exe' and the registry is modified to execute the dropped copy at each Windows start.
Adds value: "Sun Java Updater v4"
With data: "<system folder>\javacpl.exe
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The registry is modified with these additional changes:
Adds value: "javastation"
With data: "02"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Adds value: "ultrasparc"
With data: "04"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Adds value: "(default)"
With data: "4EDA89B6EFE045B390F6E3416DDD88EE&"
To subkey: HKLM\SOFTWARE\Microsoft\f0aba62c
The worm drops other malware as the following:
%TEMP%\<random filename>.bat - batch script to delete original worm copy
<system folder>\javaup.exe - detected as VirTool:Win32/CeeInject.gen!J
Spreads Via…
Mass E-mail Distribution
Win32/Prolaco.gen!B gathers e-mail addresses from data files having these file extensions on the infected machine: .tmp, .doc, .htm, .pdf, .chm, .txt. The worm avoids collecting e-mail address having following strings in the domain:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
security
accoun
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
berkeley
math
mit.e
gnu
fsf.
ibm.com
debian
kernel
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
sun.com
isi.e
isc.o
secur
acketst
pgp
apache
gimp
tanford.e
utgers.ed
mozilla
firefox
suse
redhat
sourceforge
slashdot
avp
syman
panda
avira
f-secure
sopho
www.ca.com
prevx
drweb
bitdefender
clamav
eset.com
ikarus
mcafee
kaspersky
virusbuster
icrosof
msn.
borlan
inpris
lavasoft
jgsoft
ghisler.com
wireshark
acdnet.com
acdsystems.com
acd-group
bpsoft.com
buyrar.com
bluewin.ch
quebecor.com
alcatel-lucent.com
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
messagelabs
honeynet
honeypot
idefense
qualys
spm
spam
www
abuse
The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mails to guess the correct associated mail server. Win32/Prolaco.gen!B uses the following strings as a prefix to guess the mx record:
mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s
ns.%s
gate.%s
E-mail messages are generated by the worm and sent to e-mail addresses collected on the infected computer. Messages may be in the following or similar formats:
From: postcards @ hallmark.com
Subject: You've received A Hallmark E-Card!
Attachment: postcard.exe
From: HomePlanner @ IKEA.com
Subject: IKEA's New Planning Software
Attachment: ikea.exe
From: hr @ coca-cola.com
Subject: Job offer from Coca Cola!
Attachment: job-application-form.exe
P2P Shared Folders
Win32/Prolaco.gen!B copies itself to sharing folders for peer-to-peer file sharing applications such as the following:
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\winmx\shared\
C:\Downloads\
Copies of the worm have filenames that are designed to entice users seeking similar files to download and execute the worm as in the following examples:
K-Lite codec pack 4.0 gold.exe
Youtube Music Downloader 1.0.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Password Cracker.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
VmWare keygen.exe
WinRAR v3.x keygen RaZoR.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Red Alert 3 keygen and trainer.exe
Ad-aware 2008.exe
BitDefender AntiVirus 2009 Keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Acker DVD Ripper 2009.exe
LimeWire Pro v4.18.3.exe
Download Accelerator Plus v8.7.5.exe
Opera 10 cracked.exe
Internet Download Manager V5.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Motorola, nokia, ericsson mobil phone tools.exe
Smart Draw 2008 keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Absolute Video Converter 6.2.exe
Daemon Tools Pro 4.11.exe
Download Boost 2.0.exe
Silkroad Online guides and wallpapers.exe
Alcohol 120 v1.9.7.exe
CleanMyPC Registry Cleaner v6.02.exe
Super Utilities Pro 2009 11.0.exe
Power ISO v4.2 + keygen axxo.exe
G-Force Platinum v3.7.5.exe
Divx Pro 6.8.0.19 + keymaker.exe
Perfect keylogger family edition with crack.exe
Ultimate xxx password generator 2009.exe
Google Earth Pro 4.2. with Maps and crack.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Sophos antivirus updater bypass.exe
Half life 3 preview 10 minutes gameplay video.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
FOOTBALL MANAGER 2009.exe
Wow WoLTk keygen generator-sfx.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Tuneup Ultilities 2008.exe
Kaspersky Internet Security 2009 keygen.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Removable Drives
Win32/Prolaco.gen!B copies itself to removable drives as the following:
<drive:>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
It then creates '<drive:>\Desktop.ini' to mislead the user such that the icon for removable drives appears as a folder icon when viewed in Windows Explorer. The worm creates '<drive:>\Autorun.inf' which launches the worm copy when the removable drive is attached to a computer that has Autoplay enabled. The message displayed could request an action by the user such as "Click to Open folder to view files".
If the user selects this choice, it could execute the worm copy. In addition, the icon for the worm appears as a "closed folder" or file folder when viewed in Windows Explorer.
Infected Web Server Home Page
If the worm infects a computer that is also running IIS, the worm attempts to replace the legitimate Web root or Index file stored in the folder '%root%\inetpub\wwwroot\index.htm' with its text that includes the following message:
Security warning!
Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following MS09-067 hotfix in order to be able to watch this website.
The hyperlink 'MS09-067' is a hyperlink to a dropped copy of the worm as the following:
'%root%\inetpub\wwwroot\ms09-067.exe'.
Payload
Installs Win32/Vundo
During execution and installation of the worm, it downloads and installs Win32/Vundo variants from various predefined Web sites such as 'childhe.com' and others.
Displays Rogue Security Software Pop-ups
Win32/Prolaco.gen!B displays pop-up messages when connecting to the internet such as the following:
"Warning!!! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! Antivirus 360 will perform a quick and free scanning of your PC for viruses and malicious programs."
The messages are an attempt to convince the user to download of rogue security software such as Win32/FakeXPA, Win32/FakeSecSen and others.
Queries Local IP Address
Win32/Prolaco.gen!B connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine. The worm also queries the following Web sites to perform additional lookup information:
gin.ntt.net
whois.ripe.net
whois.afrinic.net
whois.v6nic.net
whois.nic.or.kr
whois.apnic.net
whois.nic.ad.jp
whois.arin.net
whois.lacnic.net
whois.nic.br
whois.twnic.net
rwhois.gin.ntt.net
Lowers Security Settings
Win32/Prolacto.gen!B makes the following changes to an infected system which results in lowered security settings:
Adds worm as an authorized application in the Windows firewall policy by modifying the registry.
Adds value: "<system folder>\javacpl.exe"
With data: "<system folder>\javacpl.exe:*:Enabled:Explorer"
To subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds value: "<system folder>\javacpl.exe"
With data: "<system folder>\javacpl.exe:*:Enabled:Explorer"
To subkey: HKLM\SYSTEM\ControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Adds file extensions to the registry value "LowRiskFileTypes" to prevent Windows from checking Zone information for the associated and potentially malicious file types when opening them in Internet Explorer.
Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Modifies the registry for Internet Explorer to allow running executables that are not signed or have invalid signatures
Modifies value: "RunInvalidSignatures"
With data: "1"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Download
Modifies value: "CheckExeSignatures"
With data: "1"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Download
Analysis by Jaime Wong
