Anti-Worm.Palevo can remove Worm.P2P.Palevo.DP
Worm.P2P.Palevo.DP spreads via automatically IM spam. The message tricks the users into saving what seems to be
a .JPG file, which is, in effect, an executable concealing the malicious payload – Worm.P2P.Palevo.DP.
When the user tries to open the file, the malicious code is launched.
The worm creates four hidden files in the Windows folder:
%Windir%/infocard.exe
%Windir%/mds.sys
%Windir%/mdt.sys
%Windir%/winbrd.jpg
It then modifies some registry key to point to this files, in order to bypass the OS's firewall:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/ [Firewall Administrating = "%Windir%/infocard.exe"]
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run/ [Firewall Administrating = "%Windir%/infocard.exe"]
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run/ [Firewall Administrating = "%Windir%/infocard.exe"]