Worm.P2P.Palevo.B Hiding in Your Recycle Bin - Weekly Malware Review

One of the first symptoms of infection is increased network activity on UDP ports originating from explorer.exe and the presence of a hidden file called sysdate.exe inside the "%systemdrive%\RECYCLER\S-1-5-21-[random groups of digits]" folder.

The worm has been designed in a manner to allow it to spread via multiple channels. It can add its code to the list of P2P shares on popular file-sharing applications such as Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule and LimeWire, but it would also infect any removable USB device plugged into an already-infected machine or even network drives mapped locally.

Worm.P2P.Palevo.B is also able to send links to infected websites if it detects the presence of MSN Messenger on the compromised system, thus luring unwary contacts into installing the worm from a remote location.

The worm does not limit its destructive habits to infecting other hosts and leaving the user with a barely usable system because of its increased activity. It is also able to intercept passwords and other sensitive data entered in Mozilla Firefox and Microsoft Internet Explorer web browsers, which makes it extremely risky to users relying on e-banking or online shopping services.

Worm.P2P.Palevo.B features a backdoor component that allows remote attackers to seize control over the infected machine and manipulate it according to their own needs (for instance, to install additional software, to export locally saved documents, to manipulate online voting from various IPs, or even to launch TCP/UDP flood attacks against Internet servers).

In order to stay safe and fully enjoy your Internet experience, BitDefender recommends that you install and regularly update an anti-malware suite with anti-virus, anti-spam, anti-phishing and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher Mihai Stoicoi.