Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Palevo.uab
Date discovered:01/03/2010
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:197.632 Bytes
MD5 checksum:c1142cb0380b0bba40eceffdb6c54110
IVDF version:7.10.04.163 - Monday, March 1, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Sophos: W32/Autorun-BBI
   •  Panda: W32/P2PWorm.GW
   •  Eset: Win32/SpamTool.Tedroo.AL
   •  Bitdefender: Worm.Generic.231551


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe




It tries to download a file:

– The locations are the following:
   • http://sec3.helohmar.com/spm/**********?id=%number%&tick=%number%&ver=%number%&smtp=%character string%
   • http://sec3.helohmar.com/spm/**********?task=%number%&id=%character string%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"="%character string%"
   • "id"="%character string%"
   • "ii"="%number%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.


Body:
– Contains HTML code.


Attachment:

The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • hotmail.com
   • yahoo.com
   • aol.com
   • google.com
   • mail.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, May 13, 2010
Description updated by Petre Galan on Thursday, May 13, 2010

Back . . . .