Prolin is an email worm that spreads itself using MS Outlook. The worm itself is a Windows EXE file about 37Kb long written in VisualBasic. The worm uses the standard "Melissa"-like way of spreading itself: it opens MS Outlook's address book, gets email addresses from there and sends its copies to these addresses.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The infected messages look like that:
Subject: A great Shockwave flash movie Body: Check out this new flash movie that I downloaded just now ... It's Great Bye Attachment: CREATIVE.EXE
The worm then sends a notification message to his author and informs him about another infected computer:
To:firstname.lastname@example.org Subject: Job complete Message text: Got yet another idiot
Then the worm installs itself to system. It installs itself 2 times on an infected computer. One worm's copy is dropped to root C:\ folder, another one is created in Windows \Start Menu\ folder:
C:\creative.exe C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe
The second copy is specially placed in auto-run directory, so it will be activated during every Windows session.
The worm has a dangerous payload. It scans all available disk drives, gets ZIP, MP3, and JPG files and renames them to C: drive with the name:
C:\%victimfile%change atleast now to LINUX
For example, BGAMEX.jpg and DATA.ZIP are moved to:
C:\BGAMEX.jpgchange atleast now to LINUX C:\DATA.ZIPchange atleast now to LINUX
The worm also creates a text file "messageforu.txt" in root C:\ folder writes some text to there and adds a list of renamed files to the end:
Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin C:\WINDOWS\SYSTEM\OOBE\IMAGEX\BGAMEX.jpg C:\BACKUP\DATA.ZIP
Using this list renamed files can be restored back to their origianal locations if the infected computer has not been rebooted. Otherwise the worm removes the list of the moved files from "messageforu.txt" file.
F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.