W32.Palevo
W32.Palevo is a worm that may infect computer by exploiting known software vulnerabilities. System will experience a reduced in system performance due to the infection. W32.Palevo can also end security-related process on infected computer that lowers overall security settings.
Damage Level: Low
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
This worm runs every time Windows starts by creating the following registry entries that calls for an infected file.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”Microsoft Driver Setup” = “%Windir%\msddrv42.exe”
W32.Palevo will open a backdoor on affected machine and connects to a remote server to collect commands.
It ends a process that belongs to security applications like antivirus and firewall. This action may cause programs to malfunction and stop responding.
Distribution
This worm will spread locally by infecting removable media drives and shared system resources. It also enters target computer by discovering software weaknesses. When spotted, it may take advantage of this vulnerability and penetrate the computer without being detected even if antivirus program is present. Here is the list of specific targeted vulnerabilities:
- Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
- Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability
- Microsoft Windows Plug and Play Buffer Overflow Vulnerability
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Microsoft Driver Setup" = "%Windir%\msddrv42.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Driver Setup" = "%Windir%\msddrv42.exe"Associated Files and Folders:
%Windir%\logfile32.txt %Windir%\msddrv42.exe