Threat Description



Category: Malware
Platform: W32
Aliases: Prolin, Shockwave, W32/Prolin@mm, TROJ_SHOCKWAVE, TROJ_PROLIN


Prolin is an e-mail worm that spreads itself using MS Outlook. The worm itself is a Windows EXE file about 37Kb long written in VisualBasic. The worm uses the standard "Melissa"-like way of spreading itself: it opens MS Outlook's address book, gets e-mail addresses from there and sends its copies to these addresses.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The infected messages look like that:

Subject:    A great Shockwave flash movie  Body:       Check out this new flash movie that I downloaded just  now ... It's Great Bye Attachment: CREATIVE.EXE  

The worm then sends a notification message to his author and informs him about another infected computer:  Subject:       Job complete  Message text:  Got yet another idiot  

Then the worm installs itself to system. It installs itself 2 times on an infected computer. One worm's copy is dropped to root C:\ folder, another one is created in Windows \Start Menu\ folder:

C:\creative.exe  C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe  

The second copy is specially placed in auto-run directory, so it will be activated during every Windows session.

The worm has a dangerous payload. It scans all available disk drives, gets ZIP, MP3, and JPG files and renames them to C: drive with the name:

C:\%victimfile%change atleast now to LINUX  

For example, BGAMEX.jpg and DATA.ZIP are moved to:

C:\BGAMEX.jpgchange atleast now to LINUX  C:\DATA.ZIPchange atleast now to LINUX  

The worm also creates a text file "messageforu.txt" in root C:\ folder writes some text to there and adds a list of renamed files to the end:

Hi, guess you have got the message.  I have kept a list of files that I  have infected under this.  If you are smart enough just reverse back the  process.  i could have done far better damage, i could have even  completely wiped your harddisk.  Remember this is a warning & get it sound  and clear... - The Penguin  C:\WINDOWS\SYSTEM\OOBE\IMAGEX\BGAMEX.jpg  C:\BACKUP\DATA.ZIP  

Using this list renamed files can be restored back to their origianal locations if the infected computer has not been rebooted. Otherwise the worm removes the list of the moved files from "messageforu.txt" file.

Technical Details:Kaspersky Labs, F-Secure Corporation; December 2000


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More