Effects Perwall.A carries out the following actions: - When it is run, it opens the folder C:\windows\web\wallpaper, where the wallpaper images are located.
- It creates many copies of itself in different directories of the affected computer and an AUTORUN.INF file so that whenever any of these directories is accessed, the worm is run.
- The worm is also run whenever a file with a REG (Windows Registry file) or MSC (Microsoft Management Console file) extensión is run.
- It hides the files of the operating system.
Infection strategy Perwall.A creates the following files, which are copies of itself: - MS-DOS.COM, in the root directory of the C: drive.
- GLOBAL.EXE, in the Desktop, in the subfolder PCHEALTH of the Windows directory and in the subfolder dllcache of the Windows system directory.
- FONTS.EXE and TSKMGR.EXE, in the subfolder Fonts of the Windows directory.
- MICROSOFT.HLP, in the subfolder Help of the Windows directory.
- RNDLL32.PIF, in the subfolder Media of the Windows directory.
- HELPHOST.COM, in the subfolder PCHEALTH\HELPCTR\binaries of the Windows directory.
- KEYBOARD.EXE, in the subfolder system of the Windows directory.
- REGEDIT.EXE, in the Windows system directory.
- DEFAULT.EXE y DRIVERS.CAB.EXE, in the subfolder dllcache of the Windows system directory.
Additionally, it creates an AUTORUN.INF file in the C: drive and in the available mapped drives. This way, the worm is run whenever any of these drives is accessed. Perwall.A creates the following entries in the Windows Registry: - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
sys = %windir%\Fonts\fonts.exe
where %windir% is the Windows directory. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Default = %windir%\system\KEYBOARD.exe - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Once
Default = %sysdir%\dllcache\default.exe
where %sysdir% is the Windows system directory.
By creating these entries, Perwall.A ensures that it is run whenever Windows is started.
Perwall.A modifies the following entries from the Windows Registry: - HKEY_CLASSES_ROOT\ MSCFile\ Shell\ Open\ Command
(Default) = %SystemRoot%\system32\mmc.exe "%1" %*
It changes this entry to:
HKEY_CLASSES_ROOT\ MSCFile\ Shell\ Open\ Command
(Default) = %windir%\Fonts\Fonts.exe
Whenever a file with an MSC extension is run, the worm will be run. - HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
(Default) = regedit.exe "%1"
It changes this entry to:
HKEY_CLASSES_ROOT\ regfile\ shell\ open\ command
(Default) = %windir%\pchealth\Global.exe
Whenever a Windows Registry file is run, the worm will be run. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 01, 00, 00, 00
It changes this entry to:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
ShowSuperHidden = 00, 00, 00, 00
It hides the files of the operating system.
Means of transmission Perwall.A spreads through the mapped, removable and shared drives, making copies of itself in them. Further Details Perwall.A is written in the programming language Visual basic v6. This worm is 225,280 bytes in size. |