Worm:JS/Proslikefan

Classification

Category :

Malware

Type :

Worm

Aliases :

Worm:JS/Proslikefan, Worm:JS/Proslikefan.B, Trojan.lnk.gen

Summary

Worm:JS/Proslikefan is a JavaScript worm that spreads by copying itself to removable drives and mapped network shares, as well as via file-sharing applications. On execution, it attempts to contact remote servers to download additional files onto the affected machine.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Once present on the machine, Proslikefan creates copies itself in multiple locations and creates registry keys so the copied files will execute whenever Windows starts. Some variants of this worm family may also change the shortcut files (.lnk) present on the Desktop to point to copies of the worm, as well as the original intended application or destination. When these shortcuts are clicked, the worm copy is silently executed, then the original intended application or destination is launched or opened, so that the user sees no visible sign that the shortcut has been modified.

On execution, the worm attempts to contact multiple remote locations; if successful, it downloads additional files onto the affected machine.

The worm spreads by copying itself to mapped network shares and removable drives; an autorun file is also created on each drive so that the worm is executed whenever the drive is accessed. The worm also spreads by copying itself to folders used by file-sharing applications.

Proslikefan attempts to evade detection by checking for and stopping security-related processes. The worm also checks for the presence of antivirus programs, as well as other analysis programs commonly used by malware researchers. Finally, it modifies the hostsfile to prevent access to various security-related domains, including the websites of antivirus vendors.