Home > Threat descriptions >

Creative

Classification

Category: Malware

Type: -

Aliases: Prolin, Shockwave, W32/Prolin@mm, TROJ_SHOCKWAVE, TROJ_PROLIN

Summary


Prolin is an email worm that spreads itself using MS Outlook. The worm itself is a Windows EXE file about 37Kb long written in VisualBasic. The worm uses the standard "Melissa"-like way of spreading itself: it opens MS Outlook's address book, gets email addresses from there and sends its copies to these addresses.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The infected messages look like that:

Subject:

A great Shockwave flash movie
Body: Check out this new flash movie that I downloaded just
now ... It's Great Bye Attachment: CREATIVE.EXE

The worm then sends a notification message to his author and informs him about another infected computer:

To:z14xym432@yahoo.com
Subject: Job complete
Message text:
Got yet another idiot

Then the worm installs itself to system. It installs itself 2 times on an infected computer. One worm's copy is dropped to root C:\ folder, another one is created in Windows \Start Menu\ folder:

C:\creative.exe
C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe

The second copy is specially placed in auto-run directory, so it will be activated during every Windows session.

The worm has a dangerous payload. It scans all available disk drives, gets ZIP, MP3, and JPG files and renames them to C: drive with the name:

C:\%victimfile%change atleast now to LINUX

For example, BGAMEX.jpg and DATA.ZIP are moved to:

C:\BGAMEX.jpgchange atleast now to LINUX
C:\DATA.ZIPchange atleast now to LINUX

The worm also creates a text file "messageforu.txt" in root C:\ folder writes some text to there and adds a list of renamed files to the end:

Hi, guess you have got the message.
I have kept a list of files that I
have infected under this.
If you are smart enough just reverse back the
process.
i could have done far better damage, i could have even
completely wiped your harddisk.
Remember this is a warning & get it sound
and clear... - The Penguin
C:\WINDOWS\SYSTEM\OOBE\IMAGEX\BGAMEX.jpg
C:\BACKUP\DATA.ZIP

Using this list renamed files can be restored back to their origianal locations if the infected computer has not been rebooted. Otherwise the worm removes the list of the moved files from "messageforu.txt" file.