BitDefender weekly review – Worm week at BitDefender

Worm.P2P.Palevo.J

This is a variant of the Butterfly bot kit, which used to be sold at bfse[removed].net for about $900.

The worm is spreading using 3 main vectors: MSN Messenger, removable drives and P2P applications.

If an external drive X: is detected, the file X:\autorun.inf is created which points to a copy of the malware at X:\folder.tmp\tmp.exe. When the disk is inserted on another computer the worm is executed automatically if the autorun feature is enabled.
It also creates copies of itself inside the shared folders of P2P applications like: Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+ and LimeWire.

In order to spread via MSN it patches the application in memory and replaces the links sent by the user with its own.

To protect itself, the worm stops execution if a virtual machine, sandbox or debugging software is detected.

Palevo.J connects to the Mariposa botnet on one of the following URLs and waits for further instructions: butterfly.BigM[removed].biz:5907, butterfly.si[removed].es:5907, qwertasdfg.si[removed].es:5907.

The worm can also steal passowrds stored by FireFox or Internet Explorer and generate TCP/UDP SYN flood for DdoS attacks.

When first executed, Palevo.J copies itself to "X:\RECYCLER\$RecyclerDir\sysdate.exe" where X: is the drive of the Windows installation and $RecyclerDir is a random name such as S-1-5-21-3195918175-0516443723-305921711-2405. It also creates a Desktop.ini file inside the same location to mark itself as a regular Recycle Bin folder (which hides the contained files from explorer.exe).

The worm also adds certain keys to the registry in order to ensure its execution on every system boot.

The "installation" finished when it injects code into explorer.exe and the process with the smallest PID (System), code which is responsible for all the before mentioned actions. The injection is accompanied by the creation of a mutex which is used to check if the worm was or not injected (to avoid running in multiple instances).

Trojan.Generic.1828131

This e-threat is actually a worm. It performs the following action upon execution:
- makes a copy of itself inside %windir%, as "regsvr.exe"
- makes a copy of itself inside %windir%\system32, as "regsvr.exe"
- makes a copy of itself inside %windir%\system32, as "svchost .exe"
- registers itself at startup in many locations of the registry
- disables the task manager, registry tools and folder options by settings making changes to the registry
- creates a scheduled task, using windows AT command schedule, in order to run "%windir%\System32\svchost .exe" (a copy of the malware) every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by making further changes in the registry
- disables Internet Explorer to start in offline mode
- creates a specific egistry entry so that its copy is shared.

If it finds any shared drives, it copy itself on the under name "New Folder.exe".

- it spreads itself via shared drives, removable drives and yahoo messenger.

Information in this article is available courtesy of BitDefender virus researcher: Horea Coroiu and George Cabau