Worm:Win32/Prolaco.A@mm

Worm:Win32/Prolaco.A@mm is a worm that attempts to spread via email and peer-to-peer file sharing. It may arrive as an email exploiting the Christmas holiday, and posing as a promotional message from several known brand names.

Worm:Win32/Prolaco.A@mm may arrive in a system as a downloaded attachment from an email or as a program received via peer-to-peer file sharing programs. When in a system, it appears with the following graphic file icon:

 

 

Upon execution, Worm:Win32/Prolaco.A@mm may display the following dialog box:

 

 

It then drops the following worm copies:

 

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.

 

Worm:Win32/Prolaco.A@mm modifies the system registry so that it executes every time Windows starts:

 

Adds value: "Wind River Systems"
With data: "<system folder>\vxworks.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

It then launches its copy <system folder>\qnx.exe.

The worm spreads by copying itself to any removable drive as the following files:

<Drive>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe

<Drive>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini

 

Worm:Win32/Prolaco.A@mm then writes an autorun configuration file named 'autorun.inf' pointing to 'redmond.exe' listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.

 

Worm:Win32/Prolaco.A@mm may spread if certain peer-to-peer programs are installed in the system. It periodically copies itself to the following folders, if they are present:

 

%ProgramFiles%\icq\shared folder|
%ProgramFiles%\grokster\my grokster
%ProgramFiles%\emule\incoming
%ProgramFiles%\morpheus\my shared folder
%ProgramFiles%\limewire\shared
%ProgramFiles%\tesla\files
%ProgramFiles%\winmx\shared

 

It uses the following file names for its copies:

 

k-lite codec pack 4.0 gold.exe
youtube music downloader 1.0.exe
windows 2008 enterprise server vmware virtual machine.exe
password cracker.exe
adobe acrobat reader keygen.exe
adobe photoshop cs4 crack.exe
vmware keygen.exe
winrar v3.x keygen razor.exe
tcn iso cable modem hacking tools.exe
tcn iso sigmax2 firmware.bin.exe
red alert 3 keygen and trainer.exe
ad-aware 2008.exe
bitdefender antivirus 2009 keygen.exe
norton anti-virus 2009 enterprise crack.exe
ultimate ring tones package1 (beethoven,bach, baris manco,lambada,chopin, greensleves).exe
ultimate ring tones package2 (lil wayne - way of life,khia - my neck my back like my pussy and my crack,mario - let me love you,r. kelly - the worlds greatest).exe
ultimate ring tones package3 (crazy in love, u got it bad, 50 cent - p.i.m.p, jennifer lopez feat. ll cool j - all i have, 50 cent - 21 question).exe
acker dvd ripper 2009.exe
limewire pro v4.18.3.exe
download accelerator plus v8.7.5.exe
opera 10 cracked.exe
internet download manager v5.exe
myspace theme collection.exe
nero 8 ultra edition 8.0.3.0 full retail.exe
motorola, nokia, ericsson mobil phone tools.exe
smart draw 2008 keygen.exe
microsoft visual studio 2008 keygen.exe
absolute video converter 6.2.exe
daemon tools pro 4.11.exe
download boost 2.0.exe
silkroad online guides and wallpapers.exe
alcohol 120 v1.9.7.exe
cleanmypc registry cleaner v6.02.exe
super utilities pro 2009 11.0.exe
power iso v4.2 + keygen axxo.exe
g-force platinum v3.7.5.exe
divx pro 6.8.0.19 + keymaker.exe
perfect keylogger family edition with crack.exe
ultimate xxx password generator 2009.exe
google earth pro 4.2. with maps and crack.exe
xbox360 flashing tools and guide including bricked drive fix.exe
sophos antivirus updater bypass.exe
half life 3 preview 10 minutes gameplay video.exe
winamp.pro.v6.53.powerpack.portable [xmas edition].exe
football manager 2009.exe
wow woltk keygen generator-sfx.exe
joannas horde leveling guide tbc woltk.exe
tuneup ultilities 2008.exe
kaspersky internet security 2009 keygen.exe

 

Worm:Win32/Prolaco.A@mm may also spread by attaching a copy of itself in email messages that it then sends out. The email may be any of the following:

 

From: noreply@coca-cola.com
Subject: Coca Cola is proud to accounce our new Christmas Promotion.
Message Body:
(Note: The Message body is in HTML format. The background content - logo, search bar, images, scripts, and so on - are rendered from the official Coca-cola website.)
Coca Cola is proud to accounce our new Christmas Promotion.
December, 2008
Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details.
Attachment Name: promotion.zip

 

From: postcards@hallmark.com
Subject: You've received A Hallmark E-Card!
Message Body:
(Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.)
You have recieved A Hallmark E-Card.
Hello!
You have recieved a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
Attachment Name: postcard.zip

 

From: giveaway@mcdonalds.com
Subject: Mcdonalds wishes you Merry Christmas!
Message Body:
(Note: The Message body is in HTML format. The background content are rendered from the official McDonalds website.)
McDonald's is proud to present our latest discount menu.
Simply print the coupon from this Email and head to your local McDonald's for FREE giveaways and AWESOME savings.
Attachment Name: coupon.zip

 

The worm injects itself into the Windows shell Explorer process as a remote thread and acts like a key logger capture and store user's key strokes to a file named '%Windir%\drm.ocx'.

 

The worm connects to the domain 'web1.servebbs.org' and opens a backdoor to receive commands from the remote attackers. The backdoor actions may include start/stop key logger, download other malicious files, steal sensitive information and other potentially dangerous actions.

 

Worm:Win32/Prolaco.A@mm modifies certain system settings to allow its dropped copies to more easily perform its malware routines.

 

It sets files with certain extensions, including EXE, REG, and BAT, as low risk file types:

 

Adds value: "LowRiskFileTypes"
With data: ".zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

 

It sets one of its dropped copies as an authorized application so that it is able to run despite the normal firewall policy:

 

Adds value: "<system folder>\vxworks.exe"
With data: "<system folder>\vxworks.exe:*:enabled:explorer",
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

 

It also makes the following registry modifications as part of its malware routine:

 

Adds value: "free"
With data: "12"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper

 

Adds value: "CheckExeSignatures"
With data: "1"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Download

 

This worm also attempts to get the IP address of the system in which it is installed by accessing the website whatismyip.com.

Microsoft Forefront Security Client users may detect this worm as VirTool:Win32/CeeInject.gen!J if their systems' signature is equal to or earlier than 1.47.10.