Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Palevo.ntf.4
Date discovered:12/01/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:207.872 Bytes
MD5 checksum:d4689ed810452de9c0fe6f3ea6b25b7b
IVDF version:7.10.02.171 - Tuesday, January 12, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Panda: Bck/IRCbot.CTX
   •  Eset: Win32/SpamTool.Tedroo.AL
   •  Bitdefender: Worm.Generic.220500


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe




It tries to download some files:

– The location is the following:
   • http://sec8.helohmar.com/spm/**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%


– The location is the following:
   • http://sec8.helohmar.com/spm/**********?task=%number%&id=%character string%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host" = "%character string"
   • "id" = "%character string%"
   • "ii" = "%number%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Body:
– Contains HTML code.

The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • hotmail.com
   • yahoo.com
   • aol.com
   • google.com
   • mail.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 8, 2010
Description updated by Petre Galan on Thursday, April 8, 2010

Back . . . .