[Malware Review] Win32.Worm.Prolaco is the friend that sends greeting cards

Greeting cards have constantly been exploited by malware writers and used as a means of malware dissemination. And just like Win32.Worm.Waledac, its companion in counterfeiting e-cards, Win32.Worm.Prolaco lands into users’ inboxes around various holidays. This particular build of the Prolaco worm paves the way to Halloween, and it seems you’ve got all the reasons to be scared.

Spreading mechanism of Win32.Worm.Prolaco

Firstly, as previously mentioned, Prolaco disseminates through e-mails that contain zipped attachments with executable files impersonating a .doc, .chm, .pdf, .jpg, or .htm extension. They are often named “card.pdf.exe”, “document.chm.exe”, which makes it difficult for the users to spot them, especially when the OS is instructed not to display known file types.

Secondly, Prolaco may also spread via USB removable devices and Peer-to-Peer file sharing networks. This worm creates an autorun.inf file that points to an exe file, currently identified as redmond.exe but this can vary in newer versions.

Prolaco makes multiple copies of itself that are to be distributed as follows: one hidden copy will be added in the system folder under the names wmimngr.exe, jusched.exe or wfmngr.exe while others will be “spread” to locations used for file sharing, where they pose as cracks or keygens for different commercial programs.

Setting up the playground

Once the file in the zip is opened, Prolaco is loose on the computer and ready to start its malicious work. Win32.Worm.Prolaco performs various modifications to the Windows Registry in order to automatically launch itself upon every Windows startup and user log-on, as well as to open a communication channel in the Windows Firewall. It also weakens the local security settings by disabling notifications when programs try to install software and by disabling User Account Control in Windows Vista® or Windows 7® . With local security defeated, Prolaco injects malicious code in the iexplore.exe process and behaves like a keylogger, recording all keystrokes in a file called lsm.dll which is located in the Windows folder.

Payload

This all-in-one wonder also behaves like a backdoor as it connects to [removed]hop.net in order to receive various commands from the host . Based on whatever instructions it gets, it is able to: modify registry entries or graphic settings (resolution, frequency), start or kill processes, access drives, scan ports, download/execute files to or from memory, terminate antivirus processes, steal passwords from browsers and to social networking accounts. It may also steal cookies, connect to ftp servers, upload data on ftp servers, change service settings or monitor the USB port in order to spread more easily.

The worm is more than it seems at first sight. Its ultimate goal is the installation of a remote access tool that allows an attacker to seize control over the infected machine and dispose of the stored data at will.

Around holydays it is imperative that computer users be more cautious when sending or receiving these greeting cards because some of them may come bundled with malware.

The technical information in this article is available courtesy of BitDefender virus researcher Cristina Vatamanu.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.