1. /
  2. Security Response/
  3. W32.Pilleuz

W32.Pilleuz

Risk Level 2: Low

Discovered:
September 29, 2009
Updated:
November 19, 2013 9:49:22 AM
Also Known As:
W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software], Metulji [Panda Software]
Type:
Worm
Infection Length:
109,056 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Address blocking
1.3 Network port blocking
1.4 Avoid illicit software
2. Infection method
2.1 Removable drives
2.2 File-sharing applications
2.3 MSN Messenger
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Back door functionality

3.4 Cookie stuffing
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
The following precautions can be taken to reduce the risk of infection:
  • Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article: How to prevent a virus from spreading using the 'AutoRun' feature. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.
  • Removable drives should also be disconnected when not required and if write access is not required, enable the read-only mode if the option is available on the drive.
  • When using instant messaging applications, users should use discretion when clicking on links from known or unknown senders. Avoid following URLs sent along with generic messages.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access.
  • Use of a firewall or IDS may block or detect back door server communications with the remote client application.


1.2 Address blocking
Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • bfisback.no-ip.org
  • butterfly.sinip.es
  • fdsh4tfhdf.estr.es
  • jebena.ananikolic.su
  • juice.losmibracala.org
  • kreten.banjalucke-ljepotice.ru
  • lol.amigosnextel.com
  • mju.arminboutique.com
  • peer.pickeklosarske.ru
  • prcolina.prichaonica.com
  • qwertasdfg.sinip.es
  • sombrero.balkan-hosting.net
  • teske.pornicarke.com


1.3 Network port blocking
Some of the vulnerabilities used to compromise computers have been known to use the following network ports to spread. Blocking the following ports at network perimeter will help to reduce the risk to your computer.
  • 1055
  • 1666
  • 6000


1.4 Avoid illicit software
W32.Pilleuz may attempt to exploit a demand on the Internet for certain popular software applications. It taps into this demand by making files available in shared folders of certain file-sharing applications using file names that make the worm files look like they are installers for popular software. Leaving aside the legal implications of downloading commercial software through file-sharing networks, there is always a risk that what is downloaded may contain more than what is expected - W32.Pilleuz is another case in point.

When downloading files such as application installers, one simple tell-tale sign is to check the size of the downloaded file against the expected size for the application installer. Malware files generally tend to be small (less than 1MB) in size whereas typical application installers are usually tens or hundreds of megabytes in size. Some malware may try to counter this basic sanity check by padding out the file contents with junk data to make the file size appear larger. If in doubt do not execute the file.

Users are advised to avoid downloading software from file-sharing networks and instead source their software from reputable establishments.



2. INFECTION METHOD
W32.Pilleuz may attempt to spread by using the following methods:
  • Copying itself to removable drives
  • Copying itself to the shared folders of certain file-sharing applications
  • Sending copies of itself through MSN Messenger


2.1 Removable drives
W32.Pilleuz uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. The worm copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. The following is an example of the information contained in a W32.Pilleuz autorun.inf file:

[autorun]
UsEaUtOpLaY=1
SHeLl\opEN=Open
OPen=[PATH TO MALWARE]
SHElL\opeN\coMmand=[PATH TO MALWARE]

This means that the worm is able to spread when the removable drives are inserted into another computer that has AutoRun enabled. This feature should be disabled so that files on removable devices do not execute when the device is inserted into the computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.


2.2 File-sharing applications
W32.Pilleuz is known to have been distributed through file-sharing (peer-to-peer) networks. Typically, a worm may deliberately be shared by attackers seeking to increase the infection levels of the threat, and as such may be given an enticing name in order to tempt users into downloading the malicious executable. Common enticing names include those of otherwise expensive commercial software packages, key generators, and "cracked" versions of high-end applications. Copies of the threat masquerading as adult pictures and video files are also common, especially those that include the names of celebrities intended to pique users interest.

This worm has been known to copy itself to the shared folder of any of the following file-sharing applications:
  • Ares
  • BearShare
  • DC++
  • eMule
  • iMesh
  • Kazaa
  • LimeWire
  • Shareaza





2.3 MSN Messenger
The worm may also attempt to spread through the MSN Messenger instant messaging application. The worm periodically checks whether the application is executing and then injects itself into the msnmsgr.exe process. It then sends a customized link that points to a copy of itself to all of the contacts in the application.






3. FUNCTIONALITY


3.1 System Modifications
Note: Side effects created by associated threats are not included in this report.

The following side effects may be observed on computers compromised by members of threat family.

Files/Folders created
  • %UserProfile%\Application Data\[RANDOM CHARACTER].exe
  • %SystemDrive%\RECYCLER\[SID]\Desktop.ini
  • %DriveLetter%\Resources\[RANDOM CHARACTERS].exe
  • %DriveLetter%\Working

Folders deleted

  • %DriveLetter%\Working

Files modified
  • %System%\drivers\etc\hosts

Registry entry created

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%UserProfile%\Application Data\[RANDOM CHARACTER].exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%SystemDrive%\RECYCLER\[SID]\sysdate.exe"

Registry subkeys/entries deleted
  • None

Registry subkeys/entries modified (final values given)

  • None

Processes

Injects itself into the following processes:
  • explorer.exe
  • iexplore.exe


3.2 Network activity
The worm communicates through encrypted UDP packets to any of its command and control (C&C) servers, including:
  • bfisback.no-ip.org
  • butterfly.sinip.es
  • fdsh4tfhdf.estr.es
  • jebena.ananikolic.su
  • juice.losmibracala.org
  • kreten.banjalucke-ljepotice.ru
  • lol.amigosnextel.com
  • mju.arminboutique.com
  • peer.pickeklosarske.ru
  • prcolina.prichaonica.com
  • qwertasdfg.sinip.es
  • sombrero.balkan-hosting.net
  • teske.pornicarke.com





The worm may then perform the following network activities.


Downloading
It may perform the following actions:
  • Download and execute adware on the compromised computer
  • Download updates of itself

Uploading
It may upload the following information to a remote location:
  • Bank details, including user names and passwords
  • Information from web browsers, including saved passwords

Other network activity
The worm may attempt to flood network traffic to a certain domain, thereby performing a distributed denial of service (DDoS) attack.


3.3 Back door functionality
The worm opens a back door and allows a remote attacker to gain access to the compromised computer. It does this by connecting to a C&C server that is hard-coded into the worm. The URL is broken up into sections within the worm executable code and then reconstructed by the worm during execution. In the following example, the worm is connecting to "teske.pornicarke.com". The order of the characters is back to front and separated. But the worm is able to reconstruct the URL. This is a basic obfuscation technique that is used in malware to hide information from researchers.





The remote attacker may then perform any of the following actions:
  • Download and execute other programs (primarily adware)
  • Download and inject code into explorer
  • Drop cookies
  • Perform distributed denial of service (DDoS) attacks
  • Update itself


3.4 Cookie stuffing
W32.Pilleuz has been known to perform the act of "cookie stuffing", the result of which is stealing affiliate commissions for online purchases. For example, when a user purchases an item on a site that they were directed to through an advertisement or link on another site, the advertising site often earns a commission. The worm puts false information into the cookies that exist on the compromised computer in order to "claim" (i.e. "steal") the commission from the advertising site.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resource:
Blog entries on W32.Pilleuz

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Eoin Ward and Éamonn Young
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver