W32.Prolin.Worm
Discovered on: November 30, 2000
Due to a recent increase in world-wide infections of this worm, SARC has increased the
threat level of this worm to 4 and added it to the Top Threats list.
W32.Prolin.Worm uses Microsoft Outlook to email a copy of itself to everyone in the Outlook
address book. The worm moves all .mp3, .jpg, and .zip files to the root folder. It renames
each of these files and appends the extension of each file with the text
change atleast now to LINUX
Also Known As: TROJ_SHOCKWAVE.A, CREATIVE, TROJ_PROLIN.A
Category: Worm
Infection Length: 36,864 bytes
Virus Definitions: November 30, 2000
Threat Assessment:
Wild:
High Damage:
Medium Distribution:
High
Wild:
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Damage:
Payload:
Large scale e-mailing: Emails all addresses in the Outlook address book.
Deletes files: Renames and moves all .jpg, .mp3, and .zip files into C:\
Distribution:
Subject of email: A great Shockwave flash movie
Name of attachment: Creative.exe
Size of attachment: 36,864
Target of infection: Win 9x and NT systems.
Technical description:
W32.Prolin.Worm does the following:
1. It uses Microsoft Outlook to email a copy of itself to everyone in the Outlook address
book.
The attachment is named Creative.exe.
The subject of the infected message is
A great Shockwave flash movie.
The body of the infected message is
Check out this new flash movie that I downloaded just now ... It's Great Bye
2. It sends a message to a Yahoo email account.
The subject of the message is
Job complete
The body of the message
Got yet another idiot
3. The worm creates a copy of itself with the name Creative.exe in the
C:\Windows\Start Menu\Programs\Startup folder. This will run the worm each time you start
Windows.
NOTE: It will only be able to do this if C:\Windows is your default Windows folder.
4. The worm then moves all .jpg and .zip files to the root folder. It renames each of these
files and appends the extension of each file with the text:
change atleast now to LINUX
5. The worm copies the Messageforu.txt file to the root of drive C. The file contains the
text
Hi, guess you have got the message. I have kept a list of files that I have infected under
this. If you are smart enough just reverse back the process. i could have done far better
damage, i could have even completely wiped your harddisk. Remember this is a warning &
get it sound and clear... - The Penguin
Removal instructions:
To remove the W32.Prolin.Worm you must
1. Find and delete all copies of the Creative.exe file
2. Open an MS-DOS window and rename the files that were renamed by the worm back to their
original extensions
3. Move the files back to their original locations
NOTE: If you have not already done so, do not restart the computer. This worm creates the
C:\Messageforu.txt file when it runs. If you subsequently restart the computer, the
Messageforu.txt is deleted. This file contains a list of the .mp3, .jpg, and .txt files
that were moved to the root of drive C. It also contains the original locations of the
moved files. If you have restarted the computer, and this file no longer exists, then it
is still possible to recover the files, but it will be more difficult to return them to
their original locations.
To find and delete the Creative.exe files:
1. Click Start, point to Find, and click Files or Folders.
2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
3. In the Named box, type the following, and then click Find Now:
creative.exe
4. Windows will find the files and display them in the lower pane of the Find window. It is
likely that more than one will be found. In most cases there will be one copy in C:\ and
another in the \Startup folder.
5. Select each one. press Delete, and then click Yes to confirm.
6. Close the Find Files window.
7. Right-click the Recycle Bin icon on the Windows desktop, and click Empty Recycle Bin.
To rename the files:
1. Click Start, point to Programs, and click MS-DOS Prompt or Command Prompt.
2. Type each of the following, and press Enter after each one. Note that there is a space
between the second and the third asterisks.
CD\
ren *.jpg* *.jpg
ren *.zip* *.zip
ren *.mp3* *.mp3
3. Close the DOS window.
To move the files back to their original locations:
1. Start Windows Explorer.
2. Locate and double-click the C:\Messageforu.txt file to open it in Notepad. Use the file
as a guide to move the .mp3, .jpg, and .zip files from the root of drive C to their original
locations.
NOTE: If the Messageforu.txt file no longer exists, then move the files to the location of
your choice. Do not leave them in the root of drive C.
(
geocities.com/timessquare/alley) (
geocities.com/timessquare)