Worm:Win32/Prolaco.gen!E is a generic detection of a worm that spreads via e-mail message attachments, removable drives and shared folders of P2P applications. This worm also lowers security settings and disables certain security software and services.
Installation
When run, this worm creates the following files:
- %windir%\daemontools.exe - Worm:Win32/Prolaco.gen!E
- %windir%\system32\Googleuy.exe - Worm:Win32/Prolaco.gen!C
- %windir%\system32\runocx13.exe - Worm:Win32/Prolaco.gen!E
- %USERPROFILE%\Application Data\SystemProc\lsass.exe - Worm:Win32/Prolaco.gen!E
The registry is modified to run the dropped copy at each Windows start.
Adds value: "Google Updater 5"
With data: "C:\WINDOWS\system32\Googleuy.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "RTHDBPL"
With data: "%USERPROFILE%\Application Data\SystemProc\lsass.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The worm modifies the Windows firewall policy to allow access to external resources.
Adds value: "C:\WINDOWS\system32\Googleuy.exe"
With data: "C:\WINDOWS\system32\Googleuy.exe:*:Enabled:Explorer"
To subkey: HKLM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Spreads via…
Peer-to-peer file sharing
The worm attempts to drop copies of itself in the common file sharing folders for numerous peer-to-peer (P2P) applications such as in the following folders:
C:\program files\icq\shared folder\
C:\program files\grokster\my grokster\
C:\program files\emule\incoming\
C:\program files\morpheus\my shared folder\
C:\program files\limewire\shared\
C:\program files\tesla\files\
C:\program files\winmx\shared\
C:\Downloads\
The worm may also check registry data to identify the download directory for the P2P application Kazaa. The worm then creates copies of itself as the following file names in the above mentioned file folders:
K-Lite Mega Codec v5.5.1.exe
YouTubeGet 5.4.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
K-Lite Mega Codec v5.6.1 Portable.exe
Adobe Photoshop CS4 crack.exe
VmWare 7.0 keygen.exe
WinRAR v3.x keygen RaZoR.exe
Twitter FriendAdder 2.1.1.exe
PDF Unlocker v2.0.3.exe
Image Size Reducer Pro v1.0.1.exe
Anti-Porn v13.5.12.29.exe
Norton Internet Security 2010 crack.exe
Kaspersky AntiVirus 2010 crack.exe
PDF-XChange Pro.exe
Windows 7 Ultimate keygen.exe
RapidShare Killer AIO 2010.exe
Ashampoo Snap 3.02.exe
Blaze DVD Player Pro v6.52.exe
Adobe Illustrator CS4 crack.exe
Rapidshare Auto Downloader 3.8.exe
sdTrojan Killer v2.9.4173.exe
PDF to Word Converter 3.0.exe
Google SketchUp 7.1 Pro.exe
McAfee Total Protection 2010.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Youtube Music Downloader 1.0.exe
Adobe Acrobat Reader keygen.exe
VmWare keygen.exe
AnyDVD HD v.6.3.1.8 Beta incl crack.exe
Ad-aware 2010.exe
BitDefender AntiVirus 2010 Keygen.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Total Commander7 license+keygen.exe
LimeWire Pro v4.18.3.exe
Download Accelerator Plus v9.exe
Internet Download Manager V5.exe
Myspace theme collection.exe
Nero 9 9.2.6.0 keygen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Absolute Video Converter 6.2.exe
Daemon Tools Pro 4.11.exe
Download Boost 2.0.exe
Avast 4.8 Professional.exe
Grand Theft Auto IV (Offline Activation).exe
Alcohol 120 v1.9.7.exe
CleanMyPC Registry Cleaner v6.02.exe
Super Utilities Pro 2009 11.0.exe
Power ISO v4.2 + keygen axxo.exe
G-Force Platinum v3.7.5.exe
Divx Pro 7 + keymaker.exe
Magic Video Converter 8 0 2 18.exe
Sophos antivirus updater bypass.exe
DVD Tools Nero 10.5.6.0.exe
Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
PDF password remover (works with all acrobat reader).exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Windows2008 keygen and activator.exe
Tuneup Ultilities 2010.exe
Kaspersky Internet Security 2010 keygen.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Starcraft2 Patch v0.2.exe
Starcraft2 keys.txt.exe
Starcraft2 Crack.exe
Starcraft2 Oblivion DLL.exe
Starcraft2.exe
E-mail as an attachment
Worm:Win32/Prolaco.gen!E gathers e-mail addresses from data files having the following file extensions:
txt
htm
xml
php
asp
dbx
log
nfo
lst
rtf
xml
wpd
wps
xls
doc
wab
While gathering target e-mail addresses, the worm avoids adding addresses to the list having any of the following data strings:
berkeley
unix
bsd
mit.e
gnu
fsf.
ibm.com
debian
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
sun.com
isi.e
isc.o
secur
acketst
pgp
apache
gimp
tanford.e
utgers.ed
mozilla
firefox
suse
redhat
sourceforge
slashdot
samba
cisco
syman
panda
avira
f-secure
sopho
www.ca.com
ahnlab
novirusthanks
prevx
drweb
bitdefender
clamav
eset.com
ikarus
mcafee
kaspersky
virusbuster
badware
immunityinc.com
avg.comsysinternals
borlan
inpris
lavasoft
jgsoft
ghisler.com
wireshark
winpcap
acdnet.com
acdsystems.com
acd-group
bpsoft.com
buyrar.com
bluewin.ch
quebecor.com
alcatel-lucent.com
ssh.com
winamp
nullsoft.org
example
mydomai
nodomai
ruslis
virus
.gov
gov.
.mil
messagelabs
honeynet
honeypot
security
idefense
qualys
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
sales
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
websense
certific
security
spam
spm
spam
www
secur
abuse
The worm then constructs an outbound e-mail message with a spoofed "from" address from one of the following options:
e-cards@hallmark.com
invitations@twitter.com
invitations@hi5.com
order-update@amazon.com
resume-thanks@google.com
The subject of the message is selected from one of the following options:
You have received A Hallmark E-Card!
Your friend invited you to twitter!
Jessica would like to be your friend on hi5!
Shipping update for your Amazon.com order 254-71546325-658732
Thank you from Google!
The content of the message is in HTML format with text related to the subject line of the message as in the following examples:
The worm then attempts to send the constructed e-mail messages using common server name prefixes for the affected user's domain
mx.%s
mail.%s
smtp.%s
mx1.%s
mxs.%s
mail1.%s
relay.%s
ns.%s
gate.%s
The attached file may be named one of the following:
javant.exe
javan.exe
Googleuy.exe
Removable drives
Worm:Win32/Prolaco.gen!E copies itself to removable drives as the following:
<drive:>\RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
It then creates a configuration file "<drive:>\Desktop.ini" so that the icon for removable drives appears as a folder icon when viewed in Windows Explorer. In addition, the icon for the worm appears as a "closed folder" or file folder when viewed in Windows Explorer.
The worm creates "<drive:>\Autorun.inf" which launches the worm copy when the removable drive is attached to a computer that has Autoplay enabled. The message displayed could request an action by the user such as "Click to Open folder to view files". If the user selects this choice, it could execute the worm copy.
Payload
Lowers Security Settings
Win32/Prolacto.gen!E makes the following changes to an infected computer which results in lowered security settings:
Disables User Account Control (UAC) in Windows Vista
Sets value: "UACDisableNotify"
With data: "01, 00, 00, 00"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Disables running the Administrator account in Admin Approval Mode
Sets value: "EnableLUA"
With data: "00, 00, 00, 00"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Terminates processes and services
The worm stops processes and services for various security-related applications including the following:
Stops the following processes:
egui.exe
sbamtray.exe
sbamui.exe
K7TSMngr.exe
K7RTScan.exe
K7EmlPxy.exe
K7SysTry.exe
K7TSecurity.exe
drweb32w.exe
drwebupw.exe
spidergui.exe
avp.exe
pccnt.exe
NTRtScan.exe
TmListen.exe
FPWin.exe
FprotTray.exe
FPAVServer.exe
SavService.exe
SavMain.exe
AlMon.exe
SavAdminService.exe
ALSvc.exe
Rav.exe
RavTask.exe
RavMon.exe
RavmonD.exe
RavStub.exe
CCenter.exe
isafe.exe
vsserv.exe
vetmsg.exe
ashdisp.exe
ashserv.exe
Shuts down the following services:
McAfee HackerWatch Service
MCNASVC
MPFSERVICE
MPS9
mcpromgr
mcproxy
mcshield
mcredirector
mcODS
mcmscsvc
msk80service
mcsysmon
mcmisupdmgr
Ehttpsrv
ekrn
sdauxservice
sdcodeservice
ThreatFire
sbamsvc
FPAVServer
RSCCenter
RSRavMon
K7EmlPxy
K7RTScan
K7TSMngr
navapsvc
npfmntor
nscservice
liveupdate
LiveUpdate Notice Service
SAVScan
Symantec Core LC
ccEvtMgr
sndsrvc
ccproxy
ccpwdsvc
ccsetmgr
spbbcsvc
Savservice
Savadminservice
Sophos Autoupdate Service
PAVSVR
PAVFNSVR
GWMSRV
PSHOST
PSIMSVC
PAVPRSRV
PSKSVCRETAIL
PANDA SOFTWARE CONTROLLER
TPSRV
WinDefend
wscsvc
ERSvc
WerSvc
AVP
Deletes files
Worm:Win32/Prolaco.gen!E deletes numerous files that are associated with various security applications including the following:
mcvsshld.exe
McProxy.exe
mps.exe
mcmscsvc.exe
mcpromgr.exe
McNASvc.exe
mcagent.exe
Mcshield.exe
HWAPI.exe
RedirSvc.exe
emproxy.exe
mcsysmon.exe
mcods.exe
MpfSrv.exe
msksrver.exe
mskagent.exe
PShost.exe
TPSRV.exe
avciman.exe
APvxdwin.exe
Pavbckpt.exe
iface.exe
PSCtrlS.exe
PavFnSvr.exe
PavPrSrv.exe
PsIMSVC.exe
psksvc.exe
PAVSRV51.exe
AVENGINE.exe
Webproxy.exe
SrvLoad.exe
avgnt.exe
guardgui.exe
avcenter.exe
avguard.exe
avgwdsvc.exe
avgrsx.exe
avgtray.exe
avgemc.exe
avgcsrvx.exe
avgui.exe
xcommsvr.exe
seccenter.exe
bdss.exe
bdagent.exe
livesrv.exe
ekrn.exe
avp.exe
Additional Information
The worm connects to the Web site "whatismyip.com" to retrieve the IP address of the infected machine. The worm also queries the following Web sites to perform additional lookup information:
gin.ntt.net
whois.ripe.net
whois.afrinic.net
whois.v6nic.net
whois.nic.or.kr
whois.apnic.net
whois.nic.ad.jp
whois.arin.net
whois.lacnic.net
whois.nic.br
whois.twnic.net
rwhois.gin.ntt.net
Worm:Win32/Prolaco.gen!E also creates Mozilla Firefox overlay files as the following:
- %ProgramFiles%\Mozilla Firefox\extensions\install.rdf
- %ProgramFiles%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
Analysis by Jaime Wong
