Worm/Palevo.kmq - Worm

See also

Full description

Virus:	Worm/Palevo.B.5
Date discovered:	03/11/2009
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	143.360 Bytes
MD5 checksum:	4882d3e22c4feb8d006cc162841d151a
IVDF version:	7.01.06.184

General Method of propagation:
   • Autorun feature

Aliases:
   • Mcafee: W32/Rimecud
   • Sophos: W32/Autorun-AUZ
   • Panda: W32/P2PWorm.EK.worm
   • Eset: Win32/Peerfrag.EU
   • Bitdefender: Worm.P2P.Palevo.B

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

Files It copies itself to the following location:
• %drive%\RECYCLER\%CLSID%\rundll32.exe

The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%

– %drive%\RECYCLER\%CLSID%\Desktop.ini

Registry One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Taskman"="%recycle bin%\%CLSID%\yv8g67.exe"

Backdoor The following ports are opened:

– mp**********.ru on UDP port 444
– e7**********.cn on UDP port 444
– f5**********.com on UDP port 444

Injection – It injects itself as a thread into a process.

Process name:
• explorer.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Inserted by Petre Galan on Mon, 08 Mar 2010 11:35 (GMT+1)
Updated by Petre Galan on Mon, 08 Mar 2010 11:49 (GMT+1)

« Back

Worm/Palevo.kmq - Worm

Latest News