W32/Prolaco-F

Category: Viruses and SpywareProtection available since:17 Jul 2010 01:10:06 (GMT)
Type: Win32 wormLast Updated:17 Jul 2010 01:10:06 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Prolaco-F is a mass-mailing worm for the Windows platform that also spreads via removable shared drives.

When run W32/Prolaco-F creates the files:

<System>\AdobeAMC.exe (proactively detected as Mal/CryptBox-A)
<User>\<Application Data>\SystemProc\lsass.exe (proactively detected as Mal/CryptBox-A)
<Temp>\document.doc .exe (proactively detected as Mal/CryptBox-A)
<Program_Files>\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest - this file can be safely removed
<Program_Files>\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf - this file can be safely removed
<Program_Files>\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
(detected as Troj/JSRedir-CC)


The following registry entries are set:

HKCU\Identities

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adobe Reader Updaters
<System\AdobeAMC.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL
<User>\<Application Data>\SystemProc\lsass.exe


HKLM\SYSTEM\CurrentControlSet\Services\ERSvc

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\AdobeAMC.exe
<System>\AdobeAMC.exe:*:Enabled:Explorer

HKLM\SYSTEM\CurrentControlSet\Services\ERSvc
Start
4

W32/Prolaco-F spreads via removable shared drives by copying itself to:
<Root>\<RECYCLER>\<User>\redmond.exe

and creating the file <Root>\autorun.inf (detected as Mal/AutoInf-C)

Email messages sent out by W32/Prolaco-F contain a zipfile attachment ( which is proactively detected as Troj/CryptBx-ZP)

Typical email headers sent out by W32/Prolaco-F typically have the following subject lines:
"Your friend invited you to Twitter!"
"You have received A Hallmark E-Card!"
"Shipping update for your Amazon.com order"
"Thank you from Google!"
"Cindy would like to be your friend on hi5!"
"You have got a new message on Facebook!"

The zipfile attachments typically have the following names:
"Invitation Card.zip"
"CV-20100120-112.zip"
"Shipping documents.zip"
"Postcard.zip"
"Facebook message.zip"