Worm:Win32/Prolaco.C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs
Win32/Vundo.
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.
Installation
This worm may arrive on the affected system via a spoofed e-mail having a file attachment named “Invitation Card.zip”, “postcard.zip”, "promotion.zip" or similar.
Within the archive is an executable disguised as a data file, for example "document.doc" or “postcard.htm”, with a ".exe" or “.scr” file extension. In the wild, we have observed the worm to use the following extensions to mask itself:
.doc
.htm
.pdf
.chm
.txt
.jpg
Worm:Win32/Prolaco.C creates the following files upon execution:
- <system folder>\windaemon.exe --> a copy of the worm
- <system folder>\daemonhelper.exe --> detected as Trojan:Win32/Vundo.gen!AA
It modifies the registry to execute its copy at each Windows start.
Adds value: "Daemon Tools"
With data: "<system folder>\windaemon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The name of the dropped worm copy may change, for example, another instance of Worm:Win32/Prolaco.C may create a file named “googlemapper.exe”.
Spreads Via…
E-mail
Win32/Prolaco.C gathers e-mail addresses to send itself to from files on the affected computer with the following extensions:
.doc
.htm
.pdf
.chm
.txt
.jpg
The worm then performs mail exchanger (MX) queries of the domain names in the gathered e-mail addresses to guess the correct associated mail server. Win32/Prolaco uses the following strings as a prefix to guess the mx record:
mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s
ns.%s
gate.%s
The worm-created e-mail message may be in the following or similar format:
From: e-cards@hallmark.com
Subject: You have received A Hallmark E-Card!
Attachment: "postcard.zip"
(Note: The Message body is in HTML format. The background content - images, references, and so on - are rendered from the official Hallmark website.)
P2P file sharing networks
Win32/Prolaco copies itself to the following shared folders of popular peer-to-peer file sharing applications:
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\winmx\shared\
C:\Downloads\
The worm may create copies of itself in these folders with the following enticing filenames:
Absolute Video Converter 6.2.exe
Ad-aware 2009.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Avast 4.8 Professional.exe
AVS video converter6.exe
BitDefender AntiVirus 2009 Keygen.exe
CheckPoint ZoneAlarm And AntiSpy.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
DVD Tools Nero 9 2 6 0.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Grand Theft Auto IV (Offline Activation).exe
Internet Download Manager V5.exe
K-Lite codec pack 3.10 full.exe
K-Lite codec pack 4.0 gold.exe
Kaspersky Internet Security 2009 keygen.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
Microsoft Office 2007 Home and Student keygen.exe
Microsoft Visual Studio 2008 KeyGen.exe
Microsoft.Windows 7 Beta1 Build 7000 x86.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 9.62 International.exe
PDF password remover (works with all acrobat reader).exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Smart Draw 2008 keygen.exe
Sony Vegas Pro 8 0b Build 219.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable+installer.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe
Removable drives
The worm spreads by copying itself to any removable drive as the following files:
<drive:>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
<drive:>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini
Worm:Win32/Prolaco then writes an autorun configuration file named 'autorun.inf' pointing to 'redmond.exe' listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Lowers security settings
Win32/Prolacto.C makes the following changes to an infected system which results in lowered security settings:
- Adds worm as an authorized application in the Windows firewall policy by modifying the registry:
Sets value: "<system folder>\windaemon.exe"
With data: "<system folder>\windaemon.exe:*:enabled:explorer"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List - Disables update notifications and the auto-update feature for Windows:
Sets value: "UACDisableNotify"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Additional Information
Win32/Prolaco.C connects to the Web site 'whatismyip.com' to retrieve the IP address of the infected machine.
