Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Prolin

Win32/Prolin is an Internet worm written in Visual Basic.  It spreads as an email file attachment in the program Microsoft Outlook.  It arrives in an email with the subject "A great shockwave flash movie" containing a file attachment with the name "creative.exe". I n the message body the following text can be found:

Check out this new flash movie that I downloaded just now ... It's Great

Bye

After the file in the attachment is executed the worm sends its copy to all addresses from the Outlook addresses book.  It creates its copy in the directory C:\WINDOWS\StartMenu\Programs\StartUp\ - the file creative.exe.  This will, provided that during the original  installation of the Windows operating system the installation directory was not changed to a different path than the default, ensure activation of the worm at each start of the system.  After sending out its copies it sends a message with the subject Job complete and with the following text to the address z14xym432@yahoo.com:

Got yet another idiot

An unpleasant result of "creative.exe"'s activation is that all files with extensions .jpg, .zip and .mp3 are moved into the root directory of drive C:.  The worm adds the text "change atleast now to LINUX" to their original names.  The change is done by the following scheme:

Picture.jpg ------> Picture.jpgchange atleast now to LINUX
Picture.zip ------> Picture.zipchange atleast now to LINUX
Music.mp3 ------> Music.mp3change atleast now to LINUX

At the end of its execution the worm creates, the file messageforu.txt in the root directory of drive C:  containing the following text:

Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Right below this text there is a list of files including their original location.  These are the files which the worm moved to the root directory of the disk C and added to them another extension. With the help of this list consequences of the infection can be removed also manually.  The list looks, for example, as follows:

C:\WINDOWS\SYSTEM\OOBE\IMAGES\BGAMEX.JPG
C:\WINDOWS\SYSTEM\OOBE\IMAGES\BGCC.JPG

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.