Home / malware Worm.P2P.Palevo.AT
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.P2P.Palevo.AT is also known as Win32.HLLW.Lime.18;, P2P-Worm.Win32.Palevo.
Explanation :
When executed the worm will inject its code into explorer.exe and thus every worm's action will appear as being executed by Windows Explorer.
The injected code will then perform the following actions:
- create a hidden copy of the worm under:
c:RECYCLER[random_recycler_folder]
issan.exe
( An example of : S-1-5-21-9844392106-7672706631-221574024-0507 )
- modify the registry by adding the following key:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon
Name: Taskman
Value: c:RECYCLER[random_recycler_folder]
issan.exe
This will execute the worm after every system reboot.
- create a hidden file named desktop.ini in the same folder as nissan.exe which has the following contents:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
By making this modification, the folder containing nissan.exe will have the icon of RecycleBin, not the FolderIcon. Also, when opening this folder using Windows Explorer it will show the contents of RecycleBin and not the two files: nissan.exe and desktop.ini
Spreading methods:
- via removable drives by creating a copy of itself under ZALJUBITdousiju.exe on every removable drive used and an autorun.inf file pointing to this copy
- via MSNMessenger
- via P2P Shares as: BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+, LimeWire
In order to avoid AV detection it comes encrypted, it stops emulation and it won't run if VMWare, Sandboxie or a debugger is detected.
In has Microsoft Word version info and GIF file icon in order to mislead the user to execute it or if seen in TaskManager or ProcessExplorer.Last update 21 November 2011
