Home / malware JS.Proslikefan.B
First posted on 04 November 2014.
Source: SymantecAliases :
There are no other names known for JS.Proslikefan.B.
Explanation :
The worm may be spread through USB drives.
When the worm is executed, it may copy itself to the following locations:
%Driveletter%:\.Trashes\[CALCULATED VALUE]\[CALCULATED VALUE].js %UserProfile%\Local Settings\Temp\[CALCULATED VALUE].js %UserProfile%\[CALCULATED VALUE].js %UserProfile%\AppData\Roaming\[CALCULATED VALUE].js
Note: [CALCULATED VALUE] is determined by the worm and may be a random number or a randomly selected piece of system information.
The worm may create the following hidden folder on USB drives:
%Driveletter%:\.Trashes\[CALCULATED VALUE]\
The worm may copy a clean wscript.exe to the following locations:
%UserProfile%\[1][2][3].exe %UserProfile%AppData\Roaming\[1][2][3].exe
Note: [1][2][3] is a concatenation of several different values.
[1] may be any of the following values:
win cmd disk dsk ms hp intel amd dll tcp udp
[2] may be any of the following values:
process proc monitor mon sys host mgr update updater
[3] may be any of the following values:
32 64
The worm may modify the following registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 1 or 2 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0 or 1
The worm may contact one of the following non-malicious servers to determine the time:
https://www.microsoft.com https://www.google.com https://www.bing.com
The worm will check if the current date is after January 1, 2014 00:00:00 UTC.
The worm may connect to one of the following remote locations:
[http://]217.23.3.136[REMOVED] [http://]cdn.httpowered.com[REMOVED] [http://]www2.httpoptions.com[REMOVED]
The worm may quit if it detects that it is running on a virtual machine.
The worm may attempt to kill processes that are associated with detecting and removing malicious software.
The worm may modify access control lists for files used by the threat.
The worm may download updates of itself.
The worm may steal the following information and send it to a remote location:
User name Computer name Windows ProductID OS language OS version
The worm may create the following shortcuts that point to the worm:
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk %UserProfile%\Start Menu\Programs\Startup\Windows Explorer.lnk %UserProfile%]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
Note: The shortcuts may use any of the following file type icons:
exe doc docx pdf rtf txt mp3 m4a ogg wav mp4 avi webm flv mov wmv mpeg mpg gif jpg jpeg pngLast update 04 November 2014
