Worm:Win32/Prolaco is a family of worms that spreads via email, removable drives, Peer-to-Peer (P2P) file sharing networks and network shares. This worm may also install additional malware.
Installation
When executed the worm makes a copy of itself, commonly in the <system> folder, for example:
- <system folder>\adobecrn.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The worm modifies the following registry entry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Adobe Reader Updater c2"
With data: "<system folder>\adobecrn.exe"
Spreads via…
Email
When executed, the worm searches the drives C: to Y: for files with the following file extensions:
- .ASP
- .DBX
- .DOC
- .HTM
- .LOG
- .LST
- .NFO
- .PHP
- .RTF
- .WAB
- .WPD
- .WPS
- .XLS
- .XML
If found, the files are checked for email addresses, which are then used by the worm to spread.
The worm constructs and sends emails with a copy of itself as a .ZIP attachment. The emails contain various messages designed to trick an unsuspecting user into executing the malware.
The emails are structured as follows:
- The from address is chosen from one of the following, and corresponds to the appropriate theme of the message:
- e-cards@hallmark.com
- invitations@twitter.com
- invitations@hi5.com
- order-update@amazon.com
- resume-thanks@google.com
- update@facebookmail.com
- The subject is chosen from one of the following, and corresponds to the appropriate theme of the message:
- You have received A Hallmark E-Card!
- Your friend invited you to Twitter!
- Cindy would like to be your friend on hi5!
- Shipping update for your Amazon.com order
- Thank you from Google!
- You have got a new message on Facebook!
- The message body can be one of the following:
- Hi,
You have got a personal message on Facebook from your friend.
To read it please check the attachment.
Thanks,
The Facebook Team
- Hello!
You have received a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
- Meet new people and keep up with friends on hi5.
Cindy would like to be your friend on hi5!
I setup a hi5 profile and I want to add you as a friend so we can share pictures and start building our network. First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.
- Shipping update for your Amazon.com order
Please check the attachment and confirm your shipping details.
- We just received your resume and would like to thank you for your interest in working at Google. This email confirms that your application has been submitted for an open position.
Our staffing team will carefully assess your qualifications for the role(s) you selected and others that may be a fit. Should there be a suitable match, we will be sure to get in touch with you.
Click on the attached file to review your submitted application.
Have fun and thanks again for applying to Google!
Google Staffing
- The attachments can be named any of the following:
- Postcard
- Invitation Card
- Invitation Card
- Shipping documents
- CV-20100120-112
- Facebook message
The following are examples of emails the worm may send:
Removable drives
The worm checks the computer for removable drives (except A: and B:); if found, the worm makes a copy of itself on the drive, for example:
- <Drive>:\recycler\s-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically
File infection
The worm checks the computer for remote drives from C: to Y:, and, if found, the worm searches the drives for files where the file name contains the following strings:
- activa
- crack
- inst
- keygen
- msi
- setup
If found, the worm packs the clean host file with a copy of itself into a self extracting CABINET executable, which, when run, executes a copy of the worm as well as the clean host. Infected CAB files are detected as Virus:Win32/Prolaco.
File sharing software
The worm checks for the location of shared folders for the following file sharing software, including in 'C:\Downloads':
- DCPlusPlus
- Frostwire
- Kazaa
- emule
- grokster
- icq
- limewire
- morpheus
- tesla
- winmx
If found, the worm may then make copies of itself in those locations, using some of the following file names:
- Absolute Video Converter 6.2.exe
- Ad-aware 2010.exe
- Adobe Acrobat Reader keygen.exe
- Adobe Illustrator CS4 crack.exe
- Adobe Photoshop CS4 crack.exe
- Alcohol 120 v1.9.7.exe
- Anti-Porn v13.5.12.29.exe
- AnyDVD HD v.6.3.1.8 Beta incl crack.exe
- Ashampoo Snap 3.02.exe
- Avast 4.8 Professional.exe
- BitDefender AntiVirus 2010 Keygen.exe
- Blaze DVD Player Pro v6.52.exe
- CleanMyPC Registry Cleaner v6.02.exe
- DVD Tools Nero 10.5.6.0.exe
- Daemon Tools Pro 4.11.exe
- Divx Pro 7 + keymaker.exe
- Download Accelerator Plus v9.exe
- Download Boost 2.0.exe
- G-Force Platinum v3.7.5.exe
- Google SketchUp 7.1 Pro.exe
- Grand Theft Auto IV (Offline Activation).exe
- Image Size Reducer Pro v1.0.1.exe
- Internet Download Manager V5.exe
- K-Lite Mega Codec v5.5.1.exe
- K-Lite Mega Codec v5.6.1 Portable.exe
- Kaspersky AntiVirus 2010 crack.exe
- Kaspersky Internet Security 2010 keygen.exe
- LimeWire Pro v4.18.3.exe
- Magic Video Converter 8 0 2 18.exe
- McAfee Total Protection 2010.exe
- Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
- Motorola, nokia, ericsson mobil phone tools.exe
- Mp3 Splitter and Joiner Pro v3.48.exe
- Myspace theme collection.exe
- Nero 9 9.2.6.0 keygen.exe
- Norton Anti-Virus 2010 Enterprise Crack.exe
- Norton Internet Security 2010 crack.exe
- PDF Unlocker v2.0.3.exe
- PDF password remover (works with all acrobat reader).exe
- PDF to Word Converter 3.0.exe
- PDF-XChange Pro.exe
- Power ISO v4.2 + keygen axxo.exe
- RapidShare Killer AIO 2010.exe
- Rapidshare Auto Downloader 3.8.exe
- Sophos antivirus updater bypass.exe
- Starcraft2 Crack.exe
- Starcraft2 Oblivion DLL.exe
- Starcraft2 Patch v0.2.exe
- Starcraft2 keys.txt.exe
- Starcraft2.exe
- Super Utilities Pro 2009 11.0.exe
- Total Commander7 license+keygen.exe
- Trojan Killer v2.9.4173.exe
- Tuneup Ultilities 2010.exe
- Twitter FriendAdder 2.1.1.exe
- VmWare 7.0 keygen.exe
- VmWare keygen.exe
- WinRAR v3.x keygen RaZoR.exe
- Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
- Windows 2008 Enterprise Server VMWare Virtual Machine.exe
- Windows 7 Ultimate keygen.exe
- Windows XP PRO Corp SP3 valid-key generator.exe
- Windows2008 keygen and activator.exe
- YouTubeGet 5.4.exe
- Youtube Music Downloader 1.0.exe
Modifies system files
The worm checks if either of the following web servers are installed on the affected computer:
If found, the worm then checks for the location of the root directory of the website, and writes the default file index.htm and index.html which contain a warning message and a link to a copy of the worm, which is also placed in the same location. An example of this warning message can be seen below:
Security warning! Your browser affected by the DirectAnimation Path ActiveX vulnerability. Please install the following <link to worm> MS09-092 hotfix in order to be able to watch this website.
Payload
Modifies computer security settings
The worm adds itself to the list of trusted processes that are authorized to access the network by making the following registry modifications:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "C:\WINDOWS\system32\Adobecrn.exe"
With data: "<system folder>\adobecrn.exe:*:enabled:explorer"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UACDisableNotify"
With data: "1"
Drops and executes other malware
Some variants of Worm:Win32/Prolaco have been known to drop and execute variants of other malware, including:
Delete services
Worm:Win32/Prolaco checks for, and if found, deletes the following services:
- AVP
- AntiVirSchedulerService
- Arrakis3
- CaCCProvSP
- ERSvc
- Ehttpsrv
- Emproxy
- FPAVServer
- GWMSRV
- K7EmlPxy
- K7RTScan
- K7TSMngr
- LIVESRV
- LiveUpdate Notice Service
- MCNASVC
- MPFSERVICE
- MPS9
- McAfee HackerWatch Service
- PANDA SOFTWARE CONTROLLER
- PAVFNSVR
- PAVPRSRV
- PAVSVR
- PSHOST
- PSIMSVC
- PSKSVCRETAIL
- RSCCenter
- RSRavMon
- SAVScan
- Savadminservice
- Savservice
- Sophos Autoupdate Service
- Symantec Core LC
- TPSRV
- ThreatFire
- VSSERV
- WerSvc
- WinDefend
- XCOMM
- antivirservice
- aswupdsv
- avast! Antivirus
- avast! Mail Scanner
- avast! Web Scanner
- avg8emc
- avg8wd
- bdss
- ccEvtMgr
- ccproxy
- ccpwdsvc
- ccsetmgr
- ekrn
- liveupdate
- mcODS
- mcmisupdmgr
- mcmscsvc
- mcpromgr
- mcproxy
- mcredirector
- mcshield
- mcsysmon
- msk80service
- navapsvc
- npfmntor
- nscservice
- sbamsvc
- scan
- sdauxservice
- sdcodeservice
- sndsrvc
- spbbcsvc
- wscsvc
Terminates processes
The worm checks for, and, if found, terminates the following processes:
- ALSvc.exe
- APvxdwin.exe
- AVENGINE.exe
- AlMon.exe
- CCenter.exe
- FPAVServer.exe
- FPWin.exe
- FprotTray.exe
- HWAPI.exe
- K7EmlPxy.exe
- K7RTScan.exe
- K7SysTry.exe
- K7TSMngr.exe
- K7TSecurity.exe
- McNASvc.exe
- McProxy.exe
- Mcshield.exe
- MpfSrv.exe
- NTRtScan.exe
- PAVSRV51.exe
- PSCtrlS.exe
- PShost.exe
- PavFnSvr.exe
- PavPrSrv.exe
- Pavbckpt.exe
- PsIMSVC.exe
- Rav.exe
- RavMon.exe
- RavStub.exe
- RavTask.exe
- RavmonD.exe
- RedirSvc.exe
- SavAdminService.exe
- SavMain.exe
- SavService.exe
- SrvLoad.exe
- TPSRV.exe
- TmListen.exe
- Webproxy.exe
- ashdisp.exe
- ashserv.exe
- avcenter.exe
- avciman.exe
- avgcsrvx.exe
- avgemc.exe
- avgnt.exe
- avgrsx.exe
- avgtray.exe
- avguard.exe
- avgui.exe
- avgwdsvc.exe
- avp.exe
- avp.exe
- bdagent.exe
- bdss.exe
- drweb32w.exe
- drwebupw.exe
- egui.exe
- ekrn.exe
- emproxy.exe
- guardgui.exe
- iface.exe
- isafe.exe
- livesrv.exe
- mcagent.exe
- mcmscsvc.exe
- mcods.exe
- mcpromgr.exe
- mcsysmon.exe
- mcvsshld.exe
- mps.exe
- mskagent.exe
- msksrver.exe
- pccnt.exe
- psksvc.exe
- sbamtray.exe
- sbamui.exe
- seccenter.exe
- spidergui.exe
- vetmsg.exe
- vsserv.exe
- xcommsvr.exe
Deletes files
The worm checks for the installation location of McAfee AV, and attempts to delete the following file if found:
Deletes registry entries
The worm checks the following registry location:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and if found, deletes the following registry entries:
- APVXDWIN
- AVG8_TRAY
- AVP
- BDAgent
- CAVRID
- DrWebScheduler
- F-PROT Antivirus Tray application
- ISTray
- K7SystemTray
- K7TSStart
- McENUI
- MskAgentexe
- OfficeScanNT Monitor
- RavTask
- SBAMTray
- SCANINICIO
- SpIDerMail
- Spam Blocker for Outlook Express
- SpamBlocker
- Windows Defender
- avast!
- cctray
- egui
- sbamui
Analysis by Ray Roberts