This is a
variant of the Butterfly bot kit, which used to be sold at bfse[removed].net
for about $900.
The worm is
spreading using 3 main vectors: MSN Messenger, removable drives and P2P
external drive X: is detected, the file X:autorun.inf is created which points
to a copy of the malware at X:folder.tmptmp.exe. When the disk is inserted on
another computer the worm is executed automatically if the autorun feature is
It also creates copies of itself inside the shared folders of P2P applications
like: Ares, BearShare, iMesh, Shareaza, Kazaa, DC++, eMule, eMule+ and
In order to
spread via MSN it patches the application in memory and replaces the links sent
by the user with its own.
itself, the worm stops execution if a virtual machine, sandbox or debugging
software is detected.
connects to the Mariposa botnet on one of the following URLs and waits for
further instructions: butterfly.BigM[removed].biz:5907,
can also steal passowrds stored by FireFox or Internet Explorer and generate
TCP/UDP SYN flood for DdoS attacks.
executed, Palevo.J copies itself to “X:RECYCLER$RecyclerDirsysdate.exe”
where X: is the drive of the Windows installation and $RecyclerDir is a random
name such as S-1-5-21-3195918175-0516443723-305921711-2405. It also creates a
Desktop.ini file inside the same location to mark itself as a regular Recycle
Bin folder (which hides the contained files from explorer.exe).
The worm also adds certain keys to the registry in order to
ensure its execution on every system boot.
The “installation” finished when it injects code into
explorer.exe and the process with the smallest PID (System), code which is
responsible for all the before mentioned actions. The injection is accompanied
by the creation of a mutex which is used to check if the worm was or not
injected (to avoid running in multiple instances).
e-threat is actually a worm. It performs the following action upon execution:
– makes a copy of itself inside %windir%, as “regsvr.exe”
– makes a copy of itself inside %windir%system32, as “regsvr.exe”
– makes a copy of itself inside %windir%system32, as “svchost .exe”
– registers itself at startup in many locations of the registry
– disables the task manager, registry tools and folder options by settings
making changes to the registry
– creates a scheduled task, using windows AT command schedule, in order to run
“%windir%System32svchost .exe” (a copy of the malware) every day at 09:00AM.
It also removes the limit on how long scheduled tasks are active by making
further changes in the registry
– disables Internet Explorer to start in offline mode
– creates a specific egistry entry so that its copy is shared.
If it finds
any shared drives, it copy itself on the under name “New Folder.exe”.
– it spreads itself via shared drives, removable drives and yahoo messenger.
in this article is available courtesy of BitDefender virus researcher: Horea
Coroiu and George Cabau