This malware is part of the Palevo family of autorun worms, originally posted on our Threat Spotlight in December 2010. Many samples of this malware use random file names, such as:
Some attempt to use a filename to appear as a system utility. For example:
Others use odd words or nouns, such as:
The files are typically installed to either the %DOCUMENTS%\Application Data\ or %RECYCLE BIN%\ folders.
Notably, when installed in the user's Recycle Bin as a regular file, (i.e. without the special naming convention described in Microsoft's http://support.microsoft.com/kb/136517/EN-US/), the file is hidden from view when looking at the Recycle Bin from within Windows Explorer.exe.
Palevo worms tend to set the following run key, which points to the file in the Application Data or Recycle Bin folder (as discussed above):
In addition to the detection provided for Mal/Palevo-A, the proactive HIPS technology in Sophos Endpoint Security can prevent the installation of Mal/Palevo-A using various rules, including HIPS/ProcInj-001.