W32.Pilleuz

Printer Friendly Page

Discovered: September 29, 2009
Updated: November 19, 2013 9:49:22 AM
Also Known As: W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software], Metulji [Panda Software]
Type: Worm
Infection Length: 109,056 bytes
Systems Affected: Windows

W32.Pilleuz is a worm that spreads through file-sharing programs, MSN Messenger, and removable drives. It also opens a back door on the compromised computer.

Bot creation
W32.Pilleuz is a worm that can be created by using a bot creation kit also known as the "Butterfly" or "Mariposa" bot creation kit. The purpose of the kit is malicious in nature as it allows someone to create a worm with destructive capabilities despite the authors of the kit claiming that it was developed for research purposes only. The kit is a professionally constructed piece of software providing easy access to a range of powerful features and even includes a user manual to help users get started. Such is the ease-of-use of this bot creation kit, it has become a popular resource used by online criminals.

Once the bots are created, they are distributed to computers across the Internet in order to establish a malicious botnet. The botnet is comprised of two types of components:

  • Command and control (C&C) server
  • Bot (the worm)


The worm can arrive on a compromised computer through various means, which will be discussed in the next section. The author can specify multiple C&C servers, which can be used to communicate with bots that are installed on compromised computers. Once installed on the computer, it opens a back door and communicates with one of the specified C&C servers in order to carry out the commands of the remote attacker.



Infection
W32.Pilleuz employs three methods of propagation:
  • File-sharing applications
  • MSN Messenger
  • Removable drives


The worm spreads by copying itself to the shared folder of certain file-sharing applications. It is capable of connecting to certain websites, which have a list of file names to use. It then copies itself to the shared folders as the file names it has obtained from the website.

It may also attempt to spread through the MSN Messenger instant messaging application. The worm periodically checks whether the application is executing and then injects itself into the msnmsgr.exe process. It then sends a customized link that points to a copy of itself to all of the contacts in the application.

Furthermore, the worm attempts to spread through removable drives. When a drive is inserted into the compromised computer, the worm copies itself to the drive. It also uses the AutoRun feature of Windows to run automatically. It does this by modifying the autorun.inf file and then locking it so that no other software or malware can use Autorun to execute. The autorun.inf file stays locked until the drive is removed from the computer.

A list of the spreading capabilities can be seen described in the user manual of the bot creation kit.





Functionality
Once the worm is installed on a compromised computer, it can communicate with a remote command and control (C&C) server using encrypted UDP to establish a back door connection. This back door allows a remote attacker to gain access to the compromised computer. The remote attacker may then perform any of the following actions:
  • Download more files, including updates to itself
  • Downloads adware
  • Manipulate cookies
  • Perform distributed denial of service (DDoS) attacks
  • Steal information


The bot creation kit describes an extensive list of the features, which a would-be criminal can choose from. This is documented in the user manual that comes with the kit.





Once installed on the computer, it may steal credit card information and banking details etc. It also manipulates cookies stored in browsers on the computer in order to steal commission from certain online purchases.


Concentration of bot detections
W32.Pilleuz has primarily been observed in the following locations:
  • India
  • Mexico
  • United States


While the three countries above have witnessed the most instances of the threat, India is by far the most affected location. There are at least four times as many instances of the worm in India as there are in the next most affected country, Mexico. It has also been cliamed that half of the Fortune 100 companies have at one stage or another been compromised by this worm.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.









PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.






SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)


    AutoRun and W32.Pilleuz
    Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.

    For more information, see the following resource:
    How to prevent a virus from spreading using the "AutoRun" feature

    Antivirus Protection Dates

    • Initial Rapid Release version September 30, 2009 revision 001
    • Latest Rapid Release version April 19, 2018 revision 033
    • Initial Daily Certified version September 30, 2009 revision 002
    • Latest Daily Certified version April 19, 2018 revision 038
    • Initial Weekly Certified release date September 30, 2009

    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

    Writeup By: Eoin Ward and Éamonn Young

    Discovered: September 29, 2009
    Updated: November 19, 2013 9:49:22 AM
    Also Known As: W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software], Metulji [Panda Software]
    Type: Worm
    Infection Length: 109,056 bytes
    Systems Affected: Windows

    1. Prevention and avoidance
    1.1 User behavior and precautions
    1.2 Address blocking
    1.3 Network port blocking
    1.4 Avoid illicit software
    2. Infection method
    2.1 Removable drives
    2.2 File-sharing applications
    2.3 MSN Messenger
    3. Functionality
    3.1 System modifications
    3.2 Network activity
    3.3 Back door functionality

    3.4 Cookie stuffing
    4. Additional information



    1. PREVENTION AND AVOIDANCE
    The following actions can be taken to avoid or minimize the risk from this threat.


    1.1 User behavior and precautions
    The following precautions can be taken to reduce the risk of infection:

    • Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article: How to prevent a virus from spreading using the 'AutoRun' feature. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.
    • Removable drives should also be disconnected when not required and if write access is not required, enable the read-only mode if the option is available on the drive.
    • When using instant messaging applications, users should use discretion when clicking on links from known or unknown senders. Avoid following URLs sent along with generic messages.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access.
    • Use of a firewall or IDS may block or detect back door server communications with the remote client application.


    1.2 Address blocking
    Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
    • bfisback.no-ip.org
    • butterfly.sinip.es
    • fdsh4tfhdf.estr.es
    • jebena.ananikolic.su
    • juice.losmibracala.org
    • kreten.banjalucke-ljepotice.ru
    • lol.amigosnextel.com
    • mju.arminboutique.com
    • peer.pickeklosarske.ru
    • prcolina.prichaonica.com
    • qwertasdfg.sinip.es
    • sombrero.balkan-hosting.net
    • teske.pornicarke.com


    1.3 Network port blocking
    Some of the vulnerabilities used to compromise computers have been known to use the following network ports to spread. Blocking the following ports at network perimeter will help to reduce the risk to your computer.
    • 1055
    • 1666
    • 6000


    1.4 Avoid illicit software
    W32.Pilleuz may attempt to exploit a demand on the Internet for certain popular software applications. It taps into this demand by making files available in shared folders of certain file-sharing applications using file names that make the worm files look like they are installers for popular software. Leaving aside the legal implications of downloading commercial software through file-sharing networks, there is always a risk that what is downloaded may contain more than what is expected - W32.Pilleuz is another case in point.

    When downloading files such as application installers, one simple tell-tale sign is to check the size of the downloaded file against the expected size for the application installer. Malware files generally tend to be small (less than 1MB) in size whereas typical application installers are usually tens or hundreds of megabytes in size. Some malware may try to counter this basic sanity check by padding out the file contents with junk data to make the file size appear larger. If in doubt do not execute the file.

    Users are advised to avoid downloading software from file-sharing networks and instead source their software from reputable establishments.



    2. INFECTION METHOD
    W32.Pilleuz may attempt to spread by using the following methods:
    • Copying itself to removable drives
    • Copying itself to the shared folders of certain file-sharing applications
    • Sending copies of itself through MSN Messenger


    2.1 Removable drives
    W32.Pilleuz uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. The worm copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. The following is an example of the information contained in a W32.Pilleuz autorun.inf file:

    [autorun]
    UsEaUtOpLaY=1
    SHeLl\opEN=Open
    OPen=[PATH TO MALWARE]
    SHElL\opeN\coMmand=[PATH TO MALWARE]

    This means that the worm is able to spread when the removable drives are inserted into another computer that has AutoRun enabled. This feature should be disabled so that files on removable devices do not execute when the device is inserted into the computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.


    2.2 File-sharing applications
    W32.Pilleuz is known to have been distributed through file-sharing (peer-to-peer) networks. Typically, a worm may deliberately be shared by attackers seeking to increase the infection levels of the threat, and as such may be given an enticing name in order to tempt users into downloading the malicious executable. Common enticing names include those of otherwise expensive commercial software packages, key generators, and "cracked" versions of high-end applications. Copies of the threat masquerading as adult pictures and video files are also common, especially those that include the names of celebrities intended to pique users interest.

    This worm has been known to copy itself to the shared folder of any of the following file-sharing applications:
    • Ares
    • BearShare
    • DC++
    • eMule
    • iMesh
    • Kazaa
    • LimeWire
    • Shareaza





    2.3 MSN Messenger
    The worm may also attempt to spread through the MSN Messenger instant messaging application. The worm periodically checks whether the application is executing and then injects itself into the msnmsgr.exe process. It then sends a customized link that points to a copy of itself to all of the contacts in the application.






    3. FUNCTIONALITY


    3.1 System Modifications
    Note: Side effects created by associated threats are not included in this report.

    The following side effects may be observed on computers compromised by members of threat family.

    Files/Folders created
    • %UserProfile%\Application Data\[RANDOM CHARACTER].exe
    • %SystemDrive%\RECYCLER\[SID]\Desktop.ini
    • %DriveLetter%\Resources\[RANDOM CHARACTERS].exe
    • %DriveLetter%\Working

    Folders deleted

    • %DriveLetter%\Working

    Files modified
    • %System%\drivers\etc\hosts

    Registry entry created

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%UserProfile%\Application Data\[RANDOM CHARACTER].exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%SystemDrive%\RECYCLER\[SID]\sysdate.exe"

    Registry subkeys/entries deleted
    • None

    Registry subkeys/entries modified (final values given)

    • None

    Processes

    Injects itself into the following processes:
    • explorer.exe
    • iexplore.exe


    3.2 Network activity
    The worm communicates through encrypted UDP packets to any of its command and control (C&C) servers, including:
    • bfisback.no-ip.org
    • butterfly.sinip.es
    • fdsh4tfhdf.estr.es
    • jebena.ananikolic.su
    • juice.losmibracala.org
    • kreten.banjalucke-ljepotice.ru
    • lol.amigosnextel.com
    • mju.arminboutique.com
    • peer.pickeklosarske.ru
    • prcolina.prichaonica.com
    • qwertasdfg.sinip.es
    • sombrero.balkan-hosting.net
    • teske.pornicarke.com





    The worm may then perform the following network activities.


    Downloading
    It may perform the following actions:
    • Download and execute adware on the compromised computer
    • Download updates of itself

    Uploading
    It may upload the following information to a remote location:
    • Bank details, including user names and passwords
    • Information from web browsers, including saved passwords

    Other network activity
    The worm may attempt to flood network traffic to a certain domain, thereby performing a distributed denial of service (DDoS) attack.


    3.3 Back door functionality
    The worm opens a back door and allows a remote attacker to gain access to the compromised computer. It does this by connecting to a C&C server that is hard-coded into the worm. The URL is broken up into sections within the worm executable code and then reconstructed by the worm during execution. In the following example, the worm is connecting to "teske.pornicarke.com". The order of the characters is back to front and separated. But the worm is able to reconstruct the URL. This is a basic obfuscation technique that is used in malware to hide information from researchers.





    The remote attacker may then perform any of the following actions:
    • Download and execute other programs (primarily adware)
    • Download and inject code into explorer
    • Drop cookies
    • Perform distributed denial of service (DDoS) attacks
    • Update itself


    3.4 Cookie stuffing
    W32.Pilleuz has been known to perform the act of "cookie stuffing ", the result of which is stealing affiliate commissions for online purchases. For example, when a user purchases an item on a site that they were directed to through an advertisement or link on another site, the advertising site often earns a commission. The worm puts false information into the cookies that exist on the compromised computer in order to "claim" (i.e. "steal") the commission from the advertising site.



    4. ADDITIONAL INFORMATION
    For more information relating to this threat family, please see the following resource:
    Blog entries on W32.Pilleuz

    Recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    • For further information on the terms used in this document, please refer to the Security Response glossary.

    Writeup By: Eoin Ward and Éamonn Young

    Discovered: September 29, 2009
    Updated: November 19, 2013 9:49:22 AM
    Also Known As: W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software], Metulji [Panda Software]
    Type: Worm
    Infection Length: 109,056 bytes
    Systems Affected: Windows

    You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

    Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



    FOR NORTON USERS
    If you are a Norton product user, we recommend you try the following resources to remove this risk.

    Removal Tool


    If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


    How to reduce the risk of infection
    The following resources provide further information and best practices to help reduce the risk of infection.


    FOR BUSINESS USERS
    If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

    Identifying and submitting suspect files
    Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


    Removal Tool

    If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


    How to reduce the risk of infection
    The following resource provides further information and best practices to help reduce the risk of infection.
    Protecting your business network



    MANUAL REMOVAL
    The following instructions pertain to all current Symantec antivirus products.

    1. Performing a full system scan
    How to run a full system scan using your Symantec product


    2. Restoring settings in the registry
    Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

    Writeup By: Eoin Ward and Éamonn Young