1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: JS.Proslikefan Activity

System Infected: JS.Proslikefan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects JS.Proslikefan JavaScript worm worm activity on compromised computers.

Additional Information

When the worm is executed it may copy itself to the following locations:

%UserProfile%\Application Data\uc\cu.js
%ProgramFiles%\3db7\3cb3.js
%UserProfile%\Start Menu\Programs\Startup\[ENCODED STRING].js


Next, the worm may modify the following files in order to change the user's home page:

%UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
%UserProfile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\user.js


It may also create the following files:

%Temp%\Perflib_Perfdata_20c.dat
%Temp%\Perflib_Perfdata_210.dat


The worm sets the following attributes for all folders that it creates:

Archive
Hidden
Read-only
System


It then creates the following registry entries so that it executes whenever Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"cu" = "%UserProfile%\Application Data\uc\cu.js"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"719" = "%User_Profile%\Application Data\67\719.js"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"b326b" = "%User_Profile%\Application Data\a5\b326b.js"


Next, it deletes the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}


The worm then modifies the following registry entries in order to disable antiviurs and firewall settings on the compromised computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\"FirewallDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\"FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = "1"


It then modifies the following registry entries in order to disable command prompt, registry editor, and Windows Task Manager on the compromised computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\"DisableCMD" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\"DisableRegistryTools" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"DisableCMD" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"DisableRegistryTools" = "1"


Next, the worm modifies the following registry entries in order to change the DNS and browser settings on the compromised computer:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"DhcpNameServer" = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"NameServer" = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\"www = "[VALUE FROM CONFIGURATION FILE]#"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\"DefaultPrefix\ = "[VALUE FROM CONFIGURATION FILE]#"
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page = "[VALUE FROM CONFIGURATION FILE]"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\"Default" = "[VALUE FROM CONFIGURATION FILE]#"


It also modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\"NoDispCPL" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"Advanced\Hidden = 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"SystemRestoreDisableSR" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\"DontReportInfectionInformation" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"ParseAutoexec" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"MigrateProxy" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoWindowsUpdate" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\"NoDispCPL" = "1"
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1"


Next, it modifies the following registry entries in order to alter the browser settings on the compromised computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\"www" = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\"Default" = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page"22 = "[VALUE FROM CONFIGURATION FILE]"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "[VALUE FROM CONFIGURATION FILE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\"Default" = "[VALUE FROM CONFIGURATION FILE]"


It then modifies registry entries under the following subkeys in order to alter the DNS setting on the compromised computer:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer


The worm then checks if any of the following antivirus programs are installed:

Alwil Software
AVAST Software
AVG
Avira
Bitdefender
COMODO
DrWeb
ESET
F-Secure
Kaspersky Lab
Malwarebytes' Anti-Malware
McAfee
Microsoft Security Client
Microsoft Security Essentials
Panda Security
Sophos
Spyware Doctor
Sunbelt
Symantec
Trend Micro
Webroot


It may then end the following (mostly security-related) processes:

avast.setup
avgmfapx.exe
cmd.exe
fs2011.exe
HijackThis.exe
HousecallLauncher.exe
issetup.exe
mbam.exe
mbam-setup.exe
mrt.exe
mrtstub.exe
msconfig.exe
mseinstall.exe
procexp.exe
ptinstall.exe
regedit.exe
rstrui.exe
RUBottedSetup.exe
sdasetup.exe
setup.exe
wuauclt.exe


The worm performs the following actions to determine if it is executing in a virtual environment.

The worm checks whether the following processes are running in memory:

autoruns
avast
avenger
avg
CaptureClient.exe
ccsetup
clean
combofix
dds
emergencykit
eset
exeradar
fiddler
filemon
fs20
fss
gmer
hijack
hitman
hotfix
housecall
issetup
jrt
klwk
mbam
mbsa
mcshield
minitool
mrt
msconfig
mse
msss
npe
otl
perfmon
procexp
procmon
ptinstall
reged
regmon
resmon
rkill
roguekiller
rstrui
rubotted
sdasetup
sdefendi
spybot
systemlook
tcpview
unlocker
windows-kb
wireshark
wuauclt
zoek


It also the Bios manufacturer for the following programs:

Bochs
innotek
QEMU
Xen


It then checks for the following disk drive models:

Bochs
QEMU
Red Hat
VBOX
Virtual HDD
VMware
Xen


The worm also checks that the CPU name is not QEMU or Bochs and that the SCSI Controller name or manufacturer is not Citrix, Xen or Red Hat.

Next, the worm may attempt to contact the following command-and-control (CnC) server:
jsh37.net

The worm then downloads a configuration file from the CnC server and saves it to the following location:
%SystemDrive%\prospect\knock

If any Google searches respond with possible SQL injection errors, the worm sends the associated information to the CnC server.

It also gathers the following information from the compromised computer and sends it to the CnC server:

Computer name
Installed anti-malware program information
OS version
Script information
User name

If the user is logged in to Facebook, the worm may perform the following actions:

Become a fan of a page
Like a page
Setup a chat


The worm then modifies the hosts file in an attempt to prevent access to the following domains:

antivirus.com
bleepingcomputer.com
ca.com
dispatch.mcafee.com
download.bleepingcomputer.com
download.cnet.com
download.mcafee.com
download.microsoft.com
downloads.malwarebytes.org
downloads.microsoft.com
free.antivirus.com
f-secure.com
go.microsoft.com
housecall.trendmicro.com
kaspersky.com
liveupdate.symantecliveupdate.com
malwarebytes.org
mast.mcafee.com
mcafee.com
microsoft.com
msdn.microsoft.com
mse.dlservice.microsoft.com
my-etrust.com
nai.com
norton.com
pandasecurity.com
pctools.com
secure.nai.com
securelist.com
securityresponse.symantec.com
sophos.com
support.microsoft.com
symantec.com
symantecliveupdate.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
us.trendmicro.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
viruslist.com
virustotal.com
windows.microsoft.com
windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.antivirus.com
www.bleepingcomputer.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.malwarebytes.org
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.norton.com
www.pandasecurity.com
www.pctools.com
www.securelist.com
www.sophos.com
www.symantec.com
www.symantecliveupdate.com
www.trendmicro.com
www.viruslist.com
www.virustotal.com


The above domains are diverted to the following IP address:
3.[REMOVED].1.2

The worm then attempts to connect to following DNS servers:

bjdszi.eu
brzuwiyhqk.ru
btlawlvgk.biz
bvjnnyah.eu
cjmmyi.biz
copertps.com
damantryglnd.biz
erpwrsqs.biz
etpsoprc.ru
ggrynohjts.info
ivlvkfo.net
kggactk.name
kmwexmxidu.info
knkaopkktb.net
lefekmynm.name
mosuaghqf.name
mqigbhlv.net
nglvzlzoc.name
nzsiwyz.se
ofekztbgdax.se
ovrzaunb.org
ppysupe.se
qbjnlj.in
qdzzfqo.org
qxyrdol.se
resqdev.in
rtoaglqu.in
specrtop.org
sqgrys.se
tlhgbpq.in
towwoxzwbs.com
twqayffe.in
vuclqbknjt.ru
vumvgvg.org
vxgzgyf.in
www.google.com
xnmlpguk.ru
ybysyhwpq.eu
yxbxbuv.ru
zbdkyshlj.eu
ztgbdtm.biz


It also attempts to connect to the following websites:

[http://]bjdszi.eu/[REMOVED]
[http://]brzuwiyhqk.ru/[REMOVED]
[http://]btlawlvgk.biz/[REMOVED]
[http://]bvjnnyah.eu/[REMOVED]
[http://]cjmmyi.biz/[REMOVED]
[http://]copertps.com/[REMOVED]
[http://]damantryglnd.biz/[REMOVED]
[http://]erpwrsqs.biz/[REMOVED]
[http://]etpsoprc.ru/[REMOVED]
[http://]ggrynohjts.info/[REMOVED]
[http://]ivlvkfo.net/[REMOVED]
[http://]kggactk.name/[REMOVED]
[http://]kmwexmxidu.info/[REMOVED]
[http://]knkaopkktb.net/[REMOVED]
[http://]lefekmynm.name/[REMOVED]
[http://]mosuaghqf.name/[REMOVED]
[http://]mqigbhlv.net/[REMOVED]
[http://]nglvzlzoc.name/[REMOVED]
[http://]nzsiwyz.se/[REMOVED]
[http://]ofekztbgdax.se/[REMOVED]
[http://]ovrzaunb.org/[REMOVED]
[http://]ppysupe.se/[REMOVED]
[http://]qbjnlj.in/[REMOVED]
[http://]qdzzfqo.org/[REMOVED]
[http://]qxyrdol.se/[REMOVED]
[http://]resqdev.in/[REMOVED]
[http://]rtoaglqu.in/[REMOVED]
[http://]specrtop.org/[REMOVED]
[http://]sqgrys.se/[REMOVED]
[http://]tlhgbpq.in/[REMOVED]
[http://]towwoxzwbs.com/[REMOVED]
[http://]twqayffe.in/[REMOVED]
[http://]vuclqbknjt.ru/[REMOVED]
[http://]vumvgvg.org/[REMOVED]
[http://]vxgzgyf.in/[REMOVED]
[http://]www.google.com/loc/js[REMOVED]
[http://]xnmlpguk.ru/[REMOVED]
[http://]ybysyhwpq.eu/[REMOVED]
[http://]yxbxbuv.ru/[REMOVED]
[http://]zbdkyshlj.eu/[REMOVED]
[http://]ztgbdtm.biz/[REMOVED]


The worm may also perform the following actions on the compromised computer:

Download and execute more programs
Download updates of itself


The worm spreads by copying itself to the following locations:

%DriveLetter%\[SCRIPT NAME].js
%DriveLetter%\6767\g76.js
%DriveLetter%\6767\i7a7a7.js
%DriveLetter%\a5\gb4.js
%DriveLetter%\a5\ib8b.js
%AllUsers%\Start Menu\Programs\Startup\24db.js
%DriveLetter%\Documents and Settings\Default User\Start Menu\Programs\Startup\24db.js
%DriveLetter%\Documents and Settings\All Users\Start Menu\Programs\Startup\e76.js
%DriveLetter%\Documents and Settings\Default User\Start Menu\Programs\Startup\e76.js
%UserProfile%\Application Data\67\719.js
%UserProfile%\Application Data\a5\b326b.js
%UserProfile%\Local Settings\Temp\8ef8
%UserProfile%\Local Settings\Temp\fd77
%UserProfile%\Start Menu\Programs\Startup\24db.js
%UserProfile%\Start Menu\Programs\Startup\e76.js
%ProgramFiles%\7884\798.js
%ProgramFiles%\ba3\bb39b.js
%CurrentFolder%\1.bat
%CurrentFolder%\i525.js
%CurrentFolder%\2.bat
%CurrentFolder%\g5e3.js


It also creates the following file so that it executes whenever the drive is accessed:
%DriveLetter%\autorun.inf

Next, it downloads configuration data from the following location:
thepiratebay.org

The worm spreads by creating a .zip file, using the configuration data, and copying it to the following file-sharing folders:

ares\my shared folder
bearshare\shared
edonkey2000\incoming
emule\incoming
grokster\my grokster
icq\shared folder
kazaa lite k++\my shared folder
kazaa lite\my shared folder
kazaa\my shared folder
limewire\shared
morpheus\my shared folder
My Documents\FrostWire\Shared
tesla\files
winmx\shared

Affected

  • Windows 98, Windows 95, Windows XP, Windows Server 2008, Windows 7, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube