Worm:Win32/Prolaco.T is a worm that spreads via email, removable drives and network shares. It drops and executes other malware.
Installation
When executed, the malware copies itself to the following location:
%system%\Adobcen.exe
Worm:Win32/Prolaco.T then sets the following registry entry to ensure execution at each Windows start:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Updater c6
%system%\Adobcen.exe
The worm adds itself to the Firewall authorized applications list and attempts to disable UAC (User Access Control).
Spreads via…
Email
The worm checks the following locations for email addresses:
- The file specified in this registry entry:
HKCU\Software\Microsoft\WAB\WAB4\Wab File Name
- The following directories under %userprofile%
Temporary Internet Files
Local Settings
- All non RAMDISK drives from C: to Y:
Worm:Win32/Prolaco.T looks for filenames with the following extensions:
txt
htm
xml
php
asp
dbx
log
nfo
lst
rtf
wpd
wps
xls
doc
wab
The worm avoids email addresses with the following usernames:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
me
bugs
rating
site
contact
soft
no
somebody
privacy
service
help
not
submit
sales
ca
gold-certs
the.bat
page
Worm:Win32/Prolaco.T also avoids email address that contain the following substrings:
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
websense
certific
security
cisco
syman
panda
avira
f-secure
sopho
www.ca.com
ahnlab
novirusthanks
prevx
drweb
bitdefender
clamav
eset.com
ikarus
mcafee
kaspersky
virusbuster
badware
immunityinc.com
avg.comsysinternals
borlan
inpris
lavasoft
jgsoft
ghisler.com
wireshark
winpcap
acdnet.com
acdsystems.com
acd-group
bpsoft.com
buyrar.com
bluewin.ch
quebecor.com
alcatel-lucent.com
ssh.com
winamp
nullsoft.org
example
mydomai
nodomai
ruslis
virus
.gov
gov.
.mil
messagelabs
honeynet
honeypot
idefense
qualys
spm
spam
www
secur
abuse
.com
Emails are constructed by randomly choosing from a common set of addresses, subjects and email bodies:
- Email from Address can be one of the following:
- e-cards@hallmark.com'
- invitations@twitter.com
- invitations@hi5.com
- order-update@amazon.com
- resume-thanks@google.com
- update@facebookmail.com
- Email Subject can be one of the following:
- You have received A Hallmark E-Card!
- Your friend invited you to Twitter!
- Cindy would like to be your friend on hi5!
- Shipping update for your Amazon.com order
- Thank you from Google!
- You have got a new message on Facebook!
- Email Body can contain the following text:
- You have received A Hallmark E-Card.
Hello!
You have received a Hallmark E-Card from y our friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
- Your friend invited you to twitter!
Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:
What are you doing?
To join or to see who invited you, check the attachment.
- Meet new people and keep up with friends on hi5.
Cindy would like to be your friend on hi5!
I set up a hi5 profile and I want to add you as a friend so we can share pictures and starjt building our network. First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.
- Shipping update for your Amazon.com order
Please check the attachment and confirm your shipping details.
- Gmail - Thank you from Google!
We just received your resume and would like to thank you for your interest in working at Google. This email confirms that your application has been submitted for an open position.
Our staffing team will carefully assess your qualifications for the role(s) you<br /> selected and others that may be a fit. Should there be a suitable match, we will be sure to get in touch with you.
Click on the attached file to review your submitted application.
Have fun and thanks again for applying to Google!
Google Staffing
- Facebook
You have got a personal message on Facebook from your friend.
To read it please check the attachment.
Thanks,
The Facebook Team
The worm is stored in a zip file as an email attachment, and can have one of the following names:
- Postcard
- Invitation Card
- Shipping documents
- Facebook message
Below is an example of an email sent:
Removable drives
The worm enumerates all removable drives on the system except for A: and B:. If found, the malware creates the following:
\RECYCLER\\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
and creates an autorun.inf file to execute it when the drive is accessed. When the removable drive is accessed from another computer supporting the Autorun feature, the worm is launched automatically.
Remote drives
The worm enumerated drives C: to Y: checking for Remote Drives. If found, the worm searches the drive for .exe or .msi files containing the following filenames:
setup
inst
activa
crack
keygen
If found, the worm replaces the file with a CAB self extracting executable, which contains a copy of itself and the clean host, both of which are extracted and executed when the file is run.
Shared folders
The worm checks for the presence of the following programs:
Kazaa
DCPlusPlus
Frostwire
icq
grokster
emule
morpheus
limewire
tesla
winmx
Worm:Win32/Prolaco.T can copy itself using one of the following names:
K-Lite Mega Codec v5.5.1.exe
YouTubeGet 5.4.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
K-Lite Mega Codec v5.6.1 Portable.exe
Adobe Photoshop CS4 crack.exe
VmWare 7.0 keygen.exe
WinRAR v3.x keygen RaZoR.exe
Twitter FriendAdder 2.1.1.exe
PDF Unlocker v2.0.3.exe
Image Size Reducer Pro v1.0.1.exe
Anti-Porn v13.5.12.29.exe
Norton Internet Security 2010 crack.exe
Kaspersky AntiVirus 2010 crack.exe
PDF-XChange Pro.exe
Windows 7 Ultimate keygen.exe
RapidShare Killer AIO 2010.exe
Ashampoo Snap 3.02.exe
Blaze DVD Player Pro v6.52.exe
Adobe Illustrator CS4 crack.exe
Rapidshare Auto Downloader 3.8.exe
Trojan Killer v2.9.4173.exe
PDF to Word Converter 3.0.exe
Google SketchUp 7.1 Pro.exe
McAfee Total Protection 2010.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Youtube Music Downloader 1.0.exe
Adobe Acrobat Reader keygen.exe
VmWare keygen.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Ad-aware 2010.exe
BitDefender AntiVirus 2010 Keygen.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Total Commander7 license+keygen.exe
LimeWire Pro v4.18.3.exe
Download Accelerator Plus v9.exe
Internet Download Manager V5.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Absolute Video Converter 6.2.exe
Daemon Tools Pro 4.11.exe
Download Boost 2.0.exe
Avast 4.8 Professional.exe
Grand Theft Auto IV (Offline Activation).exe
Alcohol 120 v1.9.7.exe
CleanMyPC Registry Cleaner v6.02.exe
Super Utilities Pro 2009 11.0.exe
Power ISO v4.2 + keygen axxo.exe
G-Force Platinum v3.7.5.exe
Divx Pro 7 + keymaker.exe
Magic Video Converter 8 0 2 18.exe
Sophos antivirus updater bypass.exe
DVD Tools Nero 10.5.6.0.exe
Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
PDF password remover (works with all acrobat reader).exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Windows2008 keygen and activator.exe
Tuneup Ultilities 2010.exe
Kaspersky Internet Security 2010 keygen.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Starcraft2 Patch v0.2.exe
Starcraft2 keys.txt.exe
Starcraft2 Crack.exe
Starcraft2 Oblivion DLL.exe
Starcraft2.exe
Payload
Drops and executes other malware
Win32/Prolaco can drop and execute other families of malware, such as Trojan:Win32/Dursg; we have observed variants of being dropped as:
%system%\adobepc01.exe
Terminates processes
The worm attempts to terminate the following processes:
mcvsshld.exe
McProxy.exe
mps.exe
mcmscsvc.exe
mcpromgr.exe
McNASvc.exe
mcagent.exe
Mcshield.exe
HWAPI.exe
RedirSvc.exe
emproxy.exe
mcsysmon.exe
mcods.exe
MpfSrv.exe
msksrver.exe
mskagent.exe
PShost.exe
TPSRV.exe
avciman.exe
APvxdwin.exe
Pavbckpt.exe
iface.exe
PSCtrlS.exe
PavFnSvr.exe
PavPrSrv.exe
PsIMSVC.exe
psksvc.exe
PAVSRV51.exe
AVENGINE.exe
Webproxy.exe
SrvLoad.exe
avgnt.exe
guardgui.exe
avcenter.exe
avguard.exe
avgwdsvc.exe
avgrsx.exe
avgtray.exe
avgemc.exe
avgcsrvx.exe
avgui.exe
xcommsvr.exe
seccenter.exe
bdss.exe
bdagent.exe
livesrv.exe
ekrn.exe
egui.exe
sbamtray.exe
sbamui.exe
K7TSMngr.exe
K7RTScan.exe
K7EmlPxy.exe
K7SysTry.exe
K7TSecurity.exe
drweb32w.exe
drwebupw.exe
spidergui.exe
avp.exe
pccnt.exe
NTRtScan.exe
TmListen.exe
FPWin.exe
FprotTray.exe
FPAVServer.exe
SavService.exe
SavMain.exe
AlMon.exe
SavAdminService.exe
ALSvc.exe
Rav.exe
RavTask.exe
RavMon.exe
RavmonD.exe
RavStub.exe
CCenter.exe
isafe.exe
vsserv.exe
vetmsg.exe
ashdisp.exe
ashserv.exe
Deletes services
The worm attempts to stop and delete the following services:
aswupdsv
avast! Antivirus
avast! Mail Scanner
avast! Web Scanner
avg8wd
avg8emc
antivirservice
AntiVirSchedulerService
XCOMM
LIVESRV
bdss
scan
VSSERV
Arrakis3
CaCCProvSP
Emproxy
McAfee HackerWatch Service
MCNASVC
MPFSERVICE
MPS9
mcpromgr
mcproxy
mcshield
mcredirector
mcODS
mcmscsvc
msk80service
mcsysmon
mcmisupdmgr
Ehttpsrv
ekrn
sdauxservice
sdcodeservice
ThreatFire
sbamsvc
FPAVServer
RSCCenter
RSRavMon
K7EmlPxy
K7RTScan
K7TSMngr
navapsvc
npfmntor
nscservice
liveupdate
LiveUpdate Notice Service
SAVScan
Symantec Core LC
ccEvtMgr
sndsrvc
ccproxy
ccpwdsvc
ccsetmgr
spbbcsvc
Savservice
Savadminservice
Sophos Autoupdate Service
PAVSVR
PAVFNSVR
GWMSRV
PSHOST
PSIMSVC
PAVPRSRV
PSKSVCRETAIL
PANDA SOFTWARE CONTROLLER
TPSRV
WinDefend
wscsvc
ERSvc
WerSvc
AVP
Deletes registry keys
The worm checks the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm then checks for and deletes the following keys:
SBAMTray
sbamui
cctray
CAVRID
BDAgent
egui
avast!
AVG8_TRAY
ISTray
K7SystemTray
K7TSStart
SpIDerMail
DrWebScheduler
AVP
OfficeScanNT Monitor
SpamBlocker
Spam Blocker for Outlook Express
F-PROT Antivirus Tray application
RavTask
APVXDWIN
SCANINICIO
McENUI
MskAgentexe
Windows Defender
Analysis by Ray Roberts
