Palevo worm wrecks havoc using backdoor, removable drives, peer-to-peer and Autorun exploits
SYDNEY & AUCKLAND – May 4, 2010 – BitDefender has found an aggressive worm spreading via a wave of automatically generated spam this week. Dubbed Palevo by BitDefender researchers, the worm opens a backdoor on the infected system that allows the attacker to install additional malware, steal passwords or files, or launch spam or other malware attacks on contacts in the user’s IM list.
What’s worse, Palevo is also spreading via network and removable USB drives using the Autorun feature. When an infected USB stick is inserted into a computer with Autorun enabled, the machine becomes automatically infected.
The unsolicited messages prompt recipients to click a link accompanied by a grinning smiley face emoticon, which purports to lead them to images hosted online. But instead of opening the image collection, users are tricked into saving what seems to be a .JPG file which is, in effect, an executable concealing the malicious payload – Worm.P2P.Palevo.DP.
First and foremost, the worm creates several hidden files in the Windows folder: mds.sys, mdt.sys, winbrd.jpg, infocard.exe, whilst modifying registry keys to point towards these files in order shut down the operating system’s firewall.
The Palevo worm is then capable of intercepting passwords and log-ins that are either stored or entered into Mozilla® Firefox® and Microsoft® Internet Explorer® Web browsers, which makes activities such as online banking or shopping extremely dangerous.
The worm also affects users of peer-to-peer sharing platforms by adding its code to shared files. Platforms at risk include Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule and LimeWire.
“We recommend IM users to be extremely cautious of links they receive in an instant message, particularly if they point towards either a file or web link download. It’s worthwhile to double-check the legitimacy of the message with the sender before opening a link, in order to confirm whether they had purposely sent the message themselves,” said Catalin Cosoi, senior researcher at BitDefender.