Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/Prolin


Win32/Prolin is an Internet worm written in Visual Basic.  It spreads as an email file attachment in the program Microsoft Outlook.  It arrives in an email with the subject "A great shockwave flash movie" containing a file attachment with the name "creative.exe". I n the message body the following text can be found:

Check out this new flash movie that I downloaded just now ... It's Great

Bye

After the file in the attachment is executed the worm sends its copy to all addresses from the Outlook addresses book.  It creates its copy in the directory C:\WINDOWS\StartMenu\Programs\StartUp\ - the file creative.exe.  This will, provided that during the original  installation of the Windows operating system the installation directory was not changed to a different path than the default, ensure activation of the worm at each start of the system.  After sending out its copies it sends a message with the subject Job complete and with the following text to the address z14xym432@yahoo.com:

Got yet another idiot

An unpleasant result of "creative.exe"'s activation is that all files with extensions .jpg, .zip and .mp3 are moved into the root directory of drive C:.  The worm adds the text "change atleast now to LINUX" to their original names.  The change is done by the following scheme:

Picture.jpg ------> Picture.jpgchange atleast now to LINUX
Picture.zip ------> Picture.zipchange atleast now to LINUX
Music.mp3 ------> Music.mp3change atleast now to LINUX

At the end of its execution the worm creates, the file messageforu.txt in the root directory of drive C:  containing the following text:

Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Right below this text there is a list of files including their original location.  These are the files which the worm moved to the root directory of the disk C and added to them another extension. With the help of this list consequences of the infection can be removed also manually.  The list looks, for example, as follows:

C:\WINDOWS\SYSTEM\OOBE\IMAGES\BGAMEX.JPG
C:\WINDOWS\SYSTEM\OOBE\IMAGES\BGCC.JPG



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page