Encyclopedia

Perwall.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Perwall.A carries out the following actions:

  • When it is run, it opens the folder C:\windows\web\wallpaper, where the wallpaper images are located.
  • It creates many copies of itself in different directories of the affected computer and an AUTORUN.INF file so that whenever any of these directories is accessed, the worm is run.
  • The worm is also run whenever a file with a REG (Windows Registry file) or MSC (Microsoft Management Console file) extensión is run.
  • It hides the files of the operating system.

Infection strategy 

Perwall.A creates the following files, which are copies of itself:

  • MS-DOS.COM, in the root directory of the C: drive.
  • GLOBAL.EXE, in the Desktop, in the subfolder PCHEALTH of the Windows directory and in the subfolder dllcache of the Windows system directory.
  • FONTS.EXE and TSKMGR.EXE, in the subfolder Fonts of the Windows directory.
  • MICROSOFT.HLP, in the subfolder Help of the Windows directory.
  • RNDLL32.PIF, in the subfolder Media of the Windows directory.
  • HELPHOST.COM, in the subfolder PCHEALTH\HELPCTR\binaries of the Windows directory.
  • KEYBOARD.EXE, in the subfolder system of the Windows directory.
  • REGEDIT.EXE, in the Windows system directory.
  • DEFAULT.EXE y DRIVERS.CAB.EXE, in the subfolder dllcache of the Windows system directory.

 

Additionally, it creates an AUTORUN.INF file in the C: drive and in the available mapped drives. This way, the worm is run whenever any of these drives is accessed.

 

Perwall.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    sys = %windir%\Fonts\fonts.exe
    where %windir% is the Windows directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    Default = %windir%\system\KEYBOARD.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Once
    Default = %sysdir%\dllcache\default.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, Perwall.A ensures that it is run whenever Windows is started.

 

Perwall.A modifies the following entries from the Windows Registry:

  • HKEY_CLASSES_ROOT\ MSCFile\ Shell\ Open\ Command
    (Default) = %SystemRoot%\system32\mmc.exe "%1" %*
    It changes this entry to:
    HKEY_CLASSES_ROOT\ MSCFile\ Shell\ Open\ Command
    (Default) = %windir%\Fonts\Fonts.exe
    Whenever a file with an MSC extension is run, the worm will be run.
  • HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
    (Default) = regedit.exe "%1"
    It changes this entry to:
    HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
    (Default) = %windir%\pchealth\Global.exe
    Whenever a Windows Registry file is run, the worm will be run.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 00, 00, 00, 00
    It hides the files of the operating system.

Means of transmission 

Perwall.A spreads through the mapped, removable and shared drives, making copies of itself in them.

Further Details  

Perwall.A is written in the programming language Visual basic v6. This worm is 225,280 bytes in size.

Last updated:  23/06/2009 

Virus News

3/10/09.-More than 10 Million Worldwide Were Actively Exposed to Identity Theft in 2008

3/5/09.-Cyber-crooks manipulate Internet searches to sell fake antivirus products

3/2/09.-VideoPlay adware infections grew 400% in February through malicious use of Web 2.0 pages

[+ Noticias]