P2P-Worm.Win32.Palevo.arxz

Bookmark and Share

 

1. What is the P2P-Worm.Win32.Palevo.arxz

P2P-Worm.Win32.Palevo.arxz is a network-aware worm that tries to replicate across the current network(s). P2P-Worm.Win32.Palevo.arxz, with its self-spreading malicious codes, is able to spread itself automatically from one computer to another by network connection. P2P-Worm.Win32.Palevo.arxz is capable of causing damaging actions such as consuming the network or local system resources.

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %AppData%\ygmdrm.exe
%Temp%\899.exe 		265,728 bytes
2 [file and pathname of the sample #1] 147,968 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

b. Registry Modifications

  • The newly created Registry Value is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      • Taskman = "%AppData%\ygmdrm.exe"

      so that ygmdrm.exe runs every time Windows starts

    c. Other details

    • There was registered attempt to establish connection with the remote host. The connection details are:
    Remote Host Port Number
    94.228.215.208 80
    • The data identified by the following URL was then requested from the remote web server:
      • http://94.228.215.208/bnet1/pridji16.exe

     

    3. How-to's

    a. How to prevent the  P2P-Worm.Win32.Palevo.arxz ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the P2P-Worm.Win32.Palevo.arxz   Manually?

    Step 1 : stop any P2P-Worm.Win32.Palevo.arxz processes
    Press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the "Processes" tab, search for P2P-Worm.Win32.Palevo.arxz, then right-click it and select "End Process" key.

    Step 2 : remove the following P2P-Worm.Win32.Palevo.arxz  registry keys

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Taskman = "%AppData%\ygmdrm.exe"

    Step 3 : Remove P2P-Worm.Win32.Palevo.arxz  files and folders

    %AppData%\ygmdrm.exe
    %Temp%\899.exe

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•