[Malware Review] Practice makes perfect

New Versions of Worm.P2P.Palevo.BS & Trojan.Agent.APDA


Discovered at the beginning of April, this trustworthy member of the abundant Palevo family carries on the malicious genes of its clan

With an extremely well-designed propagation system, Worm.Pt2P.Palevo.BS makes use of popular file-sharing applications, any removable USB device plugged into an already-infected machine as well as network drives mapped locally.

When executed, Worm.P2P.Palevo.BS first injects its decrypted body inside Explorer.exe. The original process ends, and further malicious actions are initiated inside the explorer.exe file. The worm creates a mutex called aljsughu55, in order to mark the system as infected and to avoid running multiple instances of itself.

In order to ensure that it will be launched during the next system startup, the worm adds the following registry key: KEY_LOCAL_MACHINEMicrosoftWindowsNTCurrentVersion WinlogonTaskman, pointing to an infected file inside RecyclerS-1-5-21-0839346990-6652710400-120536083-0614nissan.exe.

Should the worm detect that the compromised system has MSN Messenger® installed, it might also start sending links to malware-hosting websites. This way, the gullible contacts of the persons whose computer got infected are tricked into installing the worm from a remote location.

Unfortunately, this worm will not settle for only infecting various systems. It also steals passwords and sensitive data typed and saved in Mozilla Firefox® and Microsoft Internet Explorer®, thereby placing under threat the victims’ e-banking and on-line shopping activities.

Furthermore, the worm’s highly dangerous backdoor component allows remote attackers to take control over the compromised machine and to use it for illicit purposes. This all-in-one piece of malware also features a bot component, which makes it possible for it to connect to various command&control servers belonging to the Mariposa botnet, and wait for further   instructions.


A member of the Oficla a.k.a. Sasfis family, Trojan.Agent.APDA was discovered on April the 2nd wrapped up with the free and open-source UPX packer.

This piece of malware comes with a familiar icon meant to trick the user into thinking it is a Word document. When executed, the malicious code drops a new file inside the %temp% folder, called “[2 random digits].tmp” – a .dll file (dynamic link library) that will subsequently be injected into a new instance of svchost.exe.

Another copy of this .dll file is dropped inside the %system% directory, under the “lgou.rlo” name. The latter instance will also be registered to start up with Windows®, as well, by modifying the registry value HKEY_LOCAL_MACHINEMicrosoftWindows NTWinlogonshell to point to “rundll32.exe lgou.rlo mrtiyyb”. Once these files are successfully dropped in the right place, Trojan.Agent.APDA erases its executable file in order to cover its tracks.

The payload is, in fact, a downloader – currently detected as Trojan.Downloader. Agent.ABBL – whose agenda is to download and execute files from http://post[removed].ru and to perform further malicious tasks.

Information in this article is available courtesy of BitDefender virusresearcher Vlad Lutas.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.