Home / malwarePDF  

Worm:JS/Proslikefan.C


First posted on 27 April 2013.
Source: Microsoft

Aliases :

Worm:JS/Proslikefan.C is also known as JS/Autorun.worm.aacz (McAfee).

Explanation :



Installation

When run, this worm creates two hidden folders with a random name. It drops a copy of itself, also with a random name, to the following folders:

  • %ProgramFiles% \<random folder name>
  • %APPDATA% \<random folder name>
  • <startup folder>


For example:

  • %ProgramFiles%\5f415\5e4.js
  • %AppData%\4049\565f5.js
  • <startup folder>\051.js


It creates the following registry entry so that it runs whenever Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Set value: "565f5"
With data: "%AppData%\4049\565f5.js"

Spreads via...

Removable drives and network shares

This worm tries to spread itself across all drives, including removable drives and network shares. To spread, it creates a file named "autorun.inf" in each folder. If this file is run from a computer that has AutoRun enabled, it automatically runs the worm copy. The INF file is detected as Worm:INF/Proslikefan.C.

File-sharing networks

This worm also creates a randomly named .ZIP file, which it copies to folders used by file-sharing programs, such as the following:

  • ares\my shared folder
  • bearshare\shared
  • edonkey2000\incoming
  • emule\incoming
  • grokster\my grokster
  • icq\shared folder
  • kazaa lite k++\my shared folder
  • kazaa lite\my shared folder
  • kazaa\my shared folder
  • limewire\shared
  • morpheus\my shared folder
  • My Documents\FrostWire\Shared
  • tesla\files
  • winmx\shared


Payload

Lowers computer security

This worm changes your computer's security settings by changing the following settings:

  • Turns off notifications for antivirus, firewall, and automatic updates settings:

    In subkey: HKLM\Software\Microsoft\Security Center
    Set values: "AntiVirusDisableNotify"
    With data: "1"

    In subkey: HKLM\Software\Microsoft\Security Center
    Set values: "FirewallDisableNotify"
    With data: "1"

    In subkey: HKLM\Software\Microsoft\Security Center
    Set values: "UpdatesDisableNotify"
    With data: "1"

    In subkey: HKLM\Software\Microsoft\Security Center
    Set values: "AntiVirusOverride"
    With data: "1"

    In subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
    Set values: "FirewallOverride"
    With data: "1"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Set values: "NoWindowsUpdate"
    With data: "1"

    In subkey: HKLM\SOFTWARE\Policies\Microsoft\MRT
    Set values: "DontReportInfectionInformation"
    With data: "1"

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    Set values: "EnableFirewall"
    With data: "0"

  • Turns off system restore:

    In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    Sets value: "DisableConfig"
    With data: "1"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    Sets value: "SystemRestoreDisableSR"
    With data: "1"
  • Disables Task Manager and Registry Editor:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
    Set value: "DisableTaskMgr"
    With data: "1"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
    Set value: "DisableRegistryTools"
    With data: "1"

  • Disables the Windows Security Center service:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Sets value: "Start"
    With data: "4"



Prevents security-related processes from running

This worm prevents the following antivirus programs from running:

  • Alwil Software
  • AVAST Software
  • AVG
  • Avira
  • ESET
  • F-Secure
  • Kaspersky Lab
  • Malwarebytes' Anti-Malware
  • McAfee
  • Microsoft Security Client
  • Microsoft Security Essentials
  • Panda Security
  • Spyware Doctor
  • Symantec
  • Trend Micro


Changes other computer settings

This worm makes other changes to your computer settings, such as:

  • Changes the way Windows Explorershows hidden files:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "Hidden"
    With data: "2"

  • Hides file extensions when you view files using Windows Explorer:

    In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "HideFileExt"
    With data: "1"

  • Prevents you from changing the Internet Explorer start page:

    In subkey: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    Sets value: "HomePage"
    With data: "1"

  • Parse the file "autoexec.bat", if it exists in your computer:

    In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "ParseAutoexec"
    With data: "0"



Contacts a remote server

This worm tries to contact a remote command-and-control (C&C) server to download configuration files and updates. In the wild, we have observed it trying to connect to the following servers:

  • jsh37.net
  • nnh42.name
  • rss.thepiratebay.org


It gather information about your computer, such as what version of Windows you're running in your computer, what architecture type your processor is, and so on, and sends it back to these servers.



Analysis by Wei Li

Last update 27 April 2013

 

TOP

Malware :

Family: