Worm:JS/Proslikefan

Classification

Malware

Worm

JS

Worm:JS/Proslikefan, Worm:JS/Proslikefan.B, Trojan.lnk.gen

Summary

Worm:JS/Proslikefan is a JavaScript worm that spreads by copying itself to removable drives and mapped network shares, as well as via file-sharing applications. On execution, it attempts to contact remote servers to download additional files onto the affected machine.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Once present on the machine, Proslikefan creates copies itself in multiple locations and creates registry keys so the copied files will execute whenever Windows starts. Some variants of this worm family may also change the shortcut files (.lnk) present on the Desktop to point to copies of the worm, as well as the original intended application or destination. When these shortcuts are clicked, the worm copy is silently executed, then the original intended application or destination is launched or opened, so that the user sees no visible sign that the shortcut has been modified.

On execution, the worm attempts to contact multiple remote locations; if successful, it downloads additional files onto the affected machine.

The worm spreads by copying itself to mapped network shares and removable drives; an autorun file is also created on each drive so that the worm is executed whenever the drive is accessed. The worm also spreads by copying itself to folders used by file-sharing applications.

Proslikefan attempts to evade detection by checking for and stopping security-related processes. The worm also checks for the presence of antivirus programs, as well as other analysis programs commonly used by malware researchers. Finally, it modifies the hostsfile to prevent access to various security-related domains, including the websites of antivirus vendors.

Date Created: 2013-07-12 10:25:00.0

Date Last Modified: 2014-01-20 10:30:00.0