W32.Pilleuz

1 October 2009 Worm 2 Comments

W32.Pilleuz is a worm that may open a backdoor on compromised computer allowing a remote author to gain unauthorized access. The worm may access local files, download files, execute commands, modify Hosts file and steal web browser’s information. W32.Pilleuz can flood Internet traffic to various web sites that causes distributed denial of service (DDoS) attack.

Alias: W32/Autorun.worm!a758e0e7, W32/Rimecud, W32/Autorun-AUP, ButterflyBot.A, Metulji

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Characteristics
To be more effective and contagious, the worm will inject itself to processes like explorer.exe and iexplore.exe. It will establish a connection using UDP packets to its various remote servers to performs the following tasks:

• Download and execute additional malware on the infected PC
• Download an update for itself
• Gathers sensitive information such as user name, password and online banking details
• Monitors web browsing activity

Distribution
W32.Pilleuz utilizes Windows Autorun functionality that automatically runs itself when an infected drive is accessed. Then, it will look for other removable drives on the computer and drops the same executable and configuration files. The worm spreads to other system when the infected removable drive is attached.

File-sharing network is another distribution channel for this worm. Malicious code is intentionally injected to some legitimate executable file and shared over to other users of peer-to-peer network. To intensify infection, authors of this worm uses downloadable files that are frequently requested by people such as games, popular software, serials and key generators.

The worm also tries to propagate via MSN Messenger chat program. It sends a customized messages containing malicious link to victim’s contact list. The link points to a location where copy of the worm is being hosted.

Added Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%UserProfile%\Application Data\[RANDOM CHARACTER].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%SystemDrive%\RECYCLER\[SID]\sysdate.exe"

Associated Files and Folders:

%UserProfile%\Application Data\[RANDOM CHARACTER].exe
%SystemDrive%\RECYCLER\[SID]\Desktop.ini
%DriveLetter%\Resources\[RANDOM CHARACTERS].exe
%DriveLetter%\Working

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Open your antivirus application and update the virus definition file. This method ensures that your antivirus program can detect even newer variants of W32.Pilleuz

3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.

4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable, better place them in quarantine. Once the scan is complete, please proceed with the next step.

Online Virus Scanner:

Another way to remove W32.Pilleuz without the need to install additional antivirus application is to perform a thorough scan with free online virus scanner that can be found here or on websites of legitimate anti-virus and security provider.

5. Go to Online Virus Scanner list and run a virus scan. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.
6. After completing the necessary download, your system is now ready for online virus scanning.
7. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
8. Remove or delete all detected items.
9. When scanning is finished you may now restart the computer in normal mode.