Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Prolin.A@mm36864

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 30 Nov 2000 03:00:00
Description created 07 Dec 2000 03:00:00
Description updated 07 Dec 2000 03:00:00
Malware type WORM
Alias Troj_Shockwave
Shockwave
Creative
Spreading mechanism EMAIL
Summary None

W32/Prolin.A@mm36864

Spreading

This is an email worm spreading itself through MS Outlook. It will send a copy of itself to each entry in MS Outlook's address book.

It also sends an email to a Yahoo email address:


Subject: Job Complete

Body: Got yet another idiot.

The worm is written in Visual Basic 6.0 and requires Visual Basic ver6 dll to execute. When executed it drops three files to your hard disk.


c:\messageforu.txt c:\Creative.exe c:\Windows\Start Menu\Programs\Startup\Creative.exe It then moves all files with .ZIP, JPG or .MP3 extension to


c:\OriginalFileName + "change atleast now to LINUX" E.g.:C:\My Documtents\Myfile.ZIP is moved to C:\Myfile.ZIPchange atleast now to LINUX

C:\messageforu.txt contains the original name and location of these files, so an infected user who reads messageforu.txt can manually restore all files. W32/Prolin changes only the filename; it does not infect other files.

Messageforu.txt contains the following text:



Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Note:

If the worm has been executed a second time (e.g. if the computer has been restarted and creative.exe dropped to your StartUp folder has been loaded), c:\messageforu.txt will only contains the text mention above and the original location of new .ZIP, JPG and MP3 files renamed, not original location of the files renamed the first time this worm was executed.


Payload Details

n/a

Analysis

n/a

Removal

To completely remove W32/Prolin.A@mm36864, perform a full scan of your hard disk(s) and delete all infected files. To rename files back to their original name and location use the information in c:\messageforu.txt.


Last Updated: 12 Nov 2015 11:06:15