Skip navigation.
Home

new variant of Palevo-worm?

|

At the moment, there is a real 'wave' of spreading a MSN-bot in the Netherlands.
This malware sends an e-mail to all MSN-contacts with a message like "It that you on this picture?" and a link which directs to a fake MSN-login page (phishing).
Obvisiously they want to capture your credentials and send them to a remote server.

It is very hard to see anything in a HijackThis-log or ComboFix-log, also MBAM or other AV/AM-products can not see this malware.
So removing the infection is difficult, and sometimes the best advice is to reinstall the OS or at least reinstall MSN.
All looks like a Palevo-variant, but this one is hidden in sev. systemlogs.

According to Bitdefender this is the Worm.P2P.Palevo.DP (http://tiny.cc/6m2ul) but I'm not sure about that.

I already found several Palevo's in the OC's db, but not this one.

Does anyone know more about this malware, or, better, does anyone has a sample?
Please upload it to OC.

Thanks in advance,
Chato Flores

samples from my collection

Check this thread: http://www.offensivecomputing.net/?q=node/1581
I've got some samples (P2P-Worm.Win32.Palevo) and I hope that is what you looking for.

Thanks for your reply. and

Thanks for your reply. and thnx for sharing your collection.
Yes I can download the whole thing, but I'm only interested in this variant of this IM-worm.
Can you upload this one separately from your collection?
Do you have a MD5 of this variant?

In the meantime, I will download the collection, and search for this particular malware.

I'm sorry

According to this http://www.escanav.com/english/content/virus_info/details/virusdetails.asp?vid=1358, it's name in Kaspersky database is Backdoor.Win32.IRCBot.oyd which I don't have in my collection. Sorry for unuseful response.

You don't have to say

You don't have to say sorry, you are very helpfull.

Just heard from a HJT-expert that a reinstall doesn't cure: the problem (sending mails to contactlist) also occurs when victims are logged in in MSN in an other computer in their LAN. So it looks like that the bot/worm uses the victims IP or it is a 'real' network-worm that infects all comps in LAN.

Strange, but true.
Looks like a new variant of the Palevo

Chato: I have

Chato: I have Backdoor.Win32.IRCBot.oyd. Contact me if you are interested.

upload

Would you upload it to OC, please?

VirusBuster,

@ VirusBuster,

I'm interested, but how can I contact you?
AFAIK it's not possible to send PM here and I do not have your mail- or IM address.
But can you upload the sample to OC?

Or you can contact me:
http://knowyourenemy.eu/contact.php

thnx.

I will not upload it,

I will not upload it, sorry.

You can find my mail in BSA manual.