W32/Palevo-BB

Category: Viruses and SpywareProtection available since:09 Jan 2011 18:50:44 (GMT)
Type: Win32 wormLast Updated:09 Jan 2011 18:50:44 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Palevo-BB is a worm for the Windows platform. W32/Palevo-BB is a new incarnation of the Mal/Rimecud-D family of worms which spread through instant messaging applications. W32/Palevo-BB is spammed out as links through social networking chats or instant messaging. When a user clicks on one of those links the file facebook-pic000934519.exe get downloaded to their machine and executed. This malware in turn searches for user contacts in social networking site chats and instant messaging and gets spammed out.

 

When first run W32/Palevo-BB copies itself to C:\WINDOWS\nvsvc32.exe

 

The worm creates the following registry entries:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\ Software\Microsoft\Windows\CurrentVersion\Run

NVIDIA driver monitor

c:\windows\nvsvc32.exe

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

NVIDIA driver monitor

c:\windows\nvsvc32.exe

 

W32/Palevo-BB attempts to contact

http://www.myspace.com and numerous other websites and ip requests.

 

In addition to the standard detection provided for W32/Palevo-BB, the proactive HIPS technology in Sophos Endpoint Security can prevent the action of this malware and the additional malware it attempts to install. When W32/Palevo-BB is run it will fire the following HIPS rules:

 

HPsus/SysDrop-C

HIPS/FileMod-001

HIPS/RegMod-002

HIPS/RegMod-007

W32/Palevo-BB exhibits the following characteristics:

File Information

Size
73K
SHA-1
3ff9b213c19dd8e7af6adea940d8de1a9d19c5b0
MD5
d08b60355203de26b53295b9fb2cfa24
CRC-32
659619ae
File type
application/x-ms-dos-executable
First seen
2011-01-08

Other vendor detection

Kaspersky
IM-Worm.Win32.Yahos.jh

Runtime Analysis

Copies Itself To
  • C:\Program Files\nvsvc32.exe
  • C:\WINDOWS\nvsvc32.exe
Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
    LogSessionName
    stdout
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    NVIDIA driver monitor
    c:\test_item.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
    LogSessionName
    stdout
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    c:\test_item.exe
    c:\test_item.exe:*:Enabled:NVIDIA driver monitor
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
    NVIDIA driver monitor
    c:\test_item.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    NVIDIA driver monitor
    c:\test_item.exe
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
    EnableConsoleTracing
    0x00000000
Processes Created
  • c:\windows\system32\net.exe
  • c:\windows\system32\net1.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\sc.exe
IP Connections
  • 146.160.147.53:1234
  • 49.61.182.240:1234
  • 49.61.182.240:80
DNS Requests
  • albertoshistory.info
  • ale.pakibili.com
  • api.albertoshistory.info
  • astro.ic.ac.uk
  • ate.lacoctelera.net
  • beta.neogen.ro
  • deirdremccloskey.org
  • epp.gunmablog.jp
  • erdbeerlounge.de
  • ftp.phoenix-cc.net
  • goodreads.com
  • heidegger.x-y.net
  • hrm.uh.edu
  • insidehighered.com
  • jb.asm.org
  • journalofaccountancy.com
  • journals.lww.com
  • mas.0730ip.com
  • mas.ahlamontada.com
  • mas.archivum.info
  • mas.josbank.com
  • mas.juegosbakugan.net
  • mas.mtime.com
  • mas.tguia.cl
  • mas.univie.ac.at
  • mcsp.lvengine.com
  • middleastpost.org
  • mix.price-erotske.in.rs
  • mix.thenaturistclub.com
  • mmm.bolbalatrust.org
  • old.longjuyt2tugas.com
  • old.youku.com
  • ols.systemofadown.com
  • ope.oaklandathletics.com
  • opl.munin.irf.se
  • pru.landmines.org
  • qun.51.com
  • refugee-action.org.uk
  • screenservice.com
  • scribbidyscrubs.com
  • shopstyle.com
  • southampton.ac.uk
  • stayontime.info
  • summer-uni-sw.eesp.ch
  • transnationale.org
  • tripadvisor.com
  • uks.linkedin.com
  • unclefed.com
  • versatek.com
  • websitetrafficspy.com
  • www.shearman.com
  • xxx.jagdcom.de
  • xxx.stopklatka.pl

Further information

There is more information about W32/Palevo-BB on the blog article Facebook virus spreads via photo album chat messages.