Fast-Spreading Worm Targets USB Drives

A crafty new P2P worm appears to be spreading quickly among users of a range of popular file-sharing programs.

So far the countries affected by the worm variant BitDefender calls Palevo.DP - Romania, Mongolia or Indonesia - suggest that the worm is being driven by factors specific to those countries. However, the file-sharing and IM services affected, said to include LimeWire, Ares, BearShare, iMesh, Shareza, Kazaa, DC++, and eMule, are wirdely used around the world by a mainly young audience, so the warning for users outside these countries is clear.

The worm lures victims using a link embedded in a spam IM message, which leads to what appears to be an image file but is actually the malicious payload. From that point on, the malware burrows into the host by installing a number of files that compromise the Windows XP firewall.

By this point the criminals have control over the system and can open backdoors to install further malware or capture passwords entered using Internet Explorer or Mozilla Firefox.

Two elements make Palevo.DP interesting. First, it copies itself to network shares from the infected PC as well as USB sticks or other external drives. Any unprotected system with the Windows autorun feature turned on - basically almost every PC - will find itself infected as those drives are moved from PC to PC.

The second feature is its targeting of P2P services by adding code to shared program files. The combination of removable media and P2P gives the worm a two-pronged attack-and-spread strategy which allows it to target home systems which are then used to launch attacks on better-defended business PCs from inside the network perimeter.

"This Palevo offensive is highly aggressive and during the very beginning of the outbreak we have witnessed rates of infection which easily exceeded 500 percent per hour," said BitDefender senior researcher, Catalin Cosoi.

Subscribe to the Security Watch Newsletter

Comments