W32/Autorun.worm.c

Content

W32/Autorun.worm.c

Type: Virus
SubType: Worm
Discovery Date: 06/14/2007
Length: Varies
Minimum DAT: 5053 (06/14/2007)
Updated DAT: 6545 (11/29/2011)
Minimum Engine: 5.4.00
Description Added: 06/14/2007
Description Modified: 06/28/2011 7:42 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

-- Updated on June 28, 2011 ----------

File Information �

MD5 - b63e4faa54539c89186fab5762063025
SHA1 - 11dff2955414926a5f1deb8f3e742b11d8e292bd

Aliases �

F-Secure - Win32.Worm.Rimecud.AZ
Kaspersky - Worm.Win32.AutoRun.card
Microsoft - Worm:Win32/Verst.B
Symantec -W32.Pilleuz!gen25

"W32/Autorun.Worm.C" is a worm that spreads via network drives and downloads malicious files from the remote machine. This worm may also attempt to steal sensitive information such as passwords.

This worm has been distributed as a file that uses the Windows Explorer file icon. Upon execution, the worm opens an Explorer window in order to mask its actions from the infected user.

The worm contains autorun capabilities and the executable can be dropped into the root of network or removable drives along with an autorun.inf file.

Upon execution, the Worm copies itself into following location and connects to the IP address 83.229.[removed] through remote port 80 to download other malicious files.

%AllUsersProfile%\Application Data\Acdelco-Local.exe [hidden] [Detected as W32/Autorun.worm.c]
%AllUsersProfile%\Application Data\sdata.dll [Detected as Downloader-CML]
%AllUsersProfile%\Application Data\set.dat
%AllUsersProfile%\Application Data\task.dat

Also it connects to the following sites:

hxxp://vest[removed].freehostia.com
hxxp://psyn[removed].dk/data
hxxp://ku[removed].ru/data
hxxp://s-[removed].ru/data
hxxp://ed[removed].ru/data

The worm contacts the following domains to download files that contain configuration information:

freehostia.com
110mb.com
x10hosting.com
awardspace.com
exofire.net
hostei.com
orgfree.com
h18.ru
eu.pn

This configuration file contains attacker-specified locations from which the worm is directed to download and execute random files.

The dropped dll hooks the following System APIs to redirect to its own code to hide its presence on the infected computer:

ZwQueryDirectoryFile
ZwQuerySystemInformation
ZwOpenProcess

The following registry key has been added

HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Srtserv = "%AllUsersProfile%\Application Data\Acdelco-Local.exe"

The above registry entry confirms that, the Worm executes every time when windows starts

HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn\
value1 = "Acdelco-Local.exe"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn\
value2 = 0x00000E08

It creates the following mutex, to ensure only one instance of worm executed at a time

YCS0mRtQ316

The following hidden folder has been added to the system

%UserProfile%\Desktop\Acdelco-Local

After execution, the source Worm file gets deleted from the system

[Note: %AllUsersProfile% - C:\Documents and Settings\All Users,
%UserProfile% - C:\Documents and Settings\[User Name]

--------

--Updated on June 09, 2011 ----------

File Information

MD5 - 0C3E086CC46D73CDE78811F85DA77E24
SHA - BFEF2DD67A1D466949C35C5FBF72DACB84EEACDC

Aliases

Kaspersky - Worm.Win32.VB.abk
NOD32 - Win32/AutoRun.VB.SA
TrendMicro - WORM_PALEVO.SML
Microsoft - Worm:Win32/Autorun.LD

Upon execution the copies itself into the following location:

%Windir%\inf\ssvhost.exe
:[Removable Drive]:\ssvhost.exe

And drop the following files:

:[Removable Drive]:\autorun.inf

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

[AutoRun]
open=ssvhost.exe
shellexecute = ssvhost.exe
shell\0pen\command=ssvhost.exe
shell=0pen

It uses the windows "Folder Icon" as its icon. This is to trick users into opening it, effectively executing the worm.

When the above mentioned files are clicked to open, the Worm gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry key has been added to the system.

HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Toolbar\Explorer
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

The following registry value has been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�SystemHealth� = �%Windir%\inf\ssvhost.exe�

The above mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

[%Windir% is c C:\WINDOWS\, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------------------------------------------------------------------------------------------------------

-----------------Update: March08, 2011------------------------------

File Information

MD5 - 0394E365287928314975D0DA9FF5D4A9
SHA1 - 2339EB886AE78D050B3D6B9B36B93DEA0E56CAF4

Aliases

Kaspersky - Worm.Win32.Agent.abf
Microsoft - Worm:Win32/Autorun.WW
NOD32 - Win32/AutoRun.Agent.VV
Norman - W32/Obfuscated.H3!genr

Upon execution the Worm copies itself into the following location:

%WinDir%\system32\framebufb.exe
%Systemdrive%\Nueva_carpetaa.exe

The following registry keys have been added to the system:

HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_USERS\S-1-5[varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_USERS\S-1-5[varies]\Software\Win Album

The following registry values have been added to the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WindowsCMD = ""%WinDir%\System32\framebufb.exe" primary"
[HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001
[HKEY_USERS\S-1-5[varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel]
Homepage = 0x00000001
[HKEY_USERS\S-1-5[varies]\Software\Win Album]
value = "framebufb"

The following registry values have been modified:

[HKEY_CURRENT_USER\S-1-5[varies]\Software\Microsoft\Internet Explorer\Main]
Start Page = http://www.[removed]oft.com/isapi/redir.dll?prd=ie&pver=6&ar=[removed]nhome
Start Page = "http://www.[removed]ps.com/?

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive%\ is c:\]

-----------------------------------------------------------------

-------Update: February 11, 2011-------------------

Some new variants will spread copying themselves to removable drives and shared drives
by using the following file structures:

X:\Early\life\DesKTop.ini
X:\Early\life\UpDaTe.exe

where X is the drive letter.

The autorun.inf file contains the following phrase:

;Starting at age 14 he became a great fan of The Beatles.

This worm will also try to connect to the following websites:

acc53v3n.selfip.biz
accf1v3.servebbs.com
acc7w0.podzone.org

-------Update: September 10, 2010-------------------

File Information

MD5: EF7EC8B8C997973FA0C57E0BA6EB5AD0
SHA: D89F289F802348774C9AD456BA5A1F3B982DA0FC

Aliases

Microsoft: ~Worm:Win32/VB.FT
Avira: Worm/VB.atg
Kaspersky: Virus.Win32.Folcom.b

Characteristics -

"W32/Autorun.worm.c" is a worm written in VB, which may propagate via removable drives or network shares.

Upon execution the Worm copies itself into the following locations:

%SYSTEMDRIVE%\fun.xls.exe
%ProgramFiles%\EXPLORER.EXE

And it drops the following file:

%SYSTEMDRIVE%\Autorun.inf

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

Also, the Worm copies itself with the existing folder names and changes the attribute of the existing folders.

%SYSTEMDRIVE%\Documents and Settings.exe
%SYSTEMDRIVE%\Program Files.exe
%SYSTEMDRIVE%\WINDOWS.exe

When the above mentioned files are clicked to open, the Worm gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry keys have been added to the system:

HKEY_USERS\S-1-(Varies)\Software\VB and VBA Program Settings\ShitMaker
HKEY_USERS\S-1-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info

The following registry values have been added to the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
NeverShowExt = ""

The above mentioned registry entry hides the file extension.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
FolderRaper ="%SystemDrive%\XXX.exe"

[Note: Where XXX is an existing folder name in C:\ Drive]

The above mentioned registry confirms that the Worm executes on every system boot.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools ="0x00000001"
DisableTaskMgr ="0x00000001"

The above mentioned registry confirms that the worm disables Task Manager and Registry tools.

[HKEY_USERS\S-1-5-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info\]
ActivedEXE= "%ProgramFiles%\EXPLORER.exe"
[HKEY_USERS\S-1-5-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info\]
LastStartTime= "09-09-2010 5:53:53 PM"

The Worm captures the Date and Time of Last execution and restores any changes in the registry made by the user (Restores to original value created by the worm).

The worm may display "FlashWindow" with the following annoying messages:

yourbossishere!
notimeforfun!
showmeyourbody!
whatisyou?
whoisyourmaster?

The worm allows the attacker to take complete control over the system and performs the backdoor activity with the following commands.

SilencePassword
ChangeFolder
StopPassword
SuperGlasses
BrokeGlasses

[Note : %SystemDrive% - Where %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers), %ProgramFiles% - C:\Program Files.]

-------Update: September 1, 2010-------------------

File Information

MD5 - 96CB01A57179810808085155EFB44395
SHA - 6EB326C2929CE4849927530C53C6A22EA2CBB126

Aliases

Kaspersky - Worm.Win32.AutoRun.gvy
NOD32 - a variant of Win32/AutoRun.Agent.UI
Ikarus - Worm.Win32.AutoRun
Microsoft - Worm:Win32/Hilgild!gen.A

Upon execution the Trojan copies itself into the following locations:

%Appdata%\wmimgmt.exe [Detected as Generic.dx!tqh]
[Removable Drive]:\RECYCLER\wmimgmt.exe [Hidden] [Detected as Generic.dx!tqh]

And drop the following files:

%Temp%\ifd10.tmp
%Temp%\54B65DC7.db
%Temp%\tmp~ghi.log
%Userprofile%\DRM\Media\54B65DC7.db
[Removable Drive]:\AuToRUn.iNf [Hidden]
[Removable Drive]:\RECYCLER\desktop.ini

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes:

Also, the Trojan copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The newly created files look like folders, so when it is clicked to open, the Trojan gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent

The following registry value has been added

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt: ""

The above mentioned registry entry hides the file extension.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wmi32" = "%Appdata%\wmimgmt.exe"

The above mentioned registry entry confirms that the Trojan executes on every system boots.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\]
TrapPollTimeMilliSecs: 0x00003A98

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\]
�UncheckedValue� = �0x00000000�
[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�SuperHidden� = �0x00000000�
[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�ShowSuperHidden� = �0x00000000�

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[%UserProfile% is c:\Documents and Settings\Administrator\, %Appdata% is Application Data folder, %Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\ and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

----------------------------------------------------

-------Update: August 21, 2010-------------------

File Information

MD5 : 1B1192D4C84DABB0E1E01DC4D06B013A
SHA : 6E569AE7698DA62C5B0466C9D16CC57E666F7C8C

Aliases

AVG: Worm/VB.BDBS
Symantec: W32.Changeup!gen6
NOD32: Win32/AutoRun.VB.SL

"W32/Autorun.worm.c" is worm that may propagate via removable drives or network shares. Also, it is designed to download malicious files from websites controlled by the malware author.

When executed, the Trojan connects to the following websites to download malicious file from the remote server.

ns1.vi[removed]hares.com using remote port 8000
ns1.pla[removed]523.com using remote port 8000

And the following sites use the remote port 80.

ns1.vi[removed]res.com
78.[removed].122
109.[removed].42
78.[removed].122
http://www.vide[removed]net/?media=u7xrTq&embedded=false

The following files have been added to the system:

%Temp%\4.tmp [Found to be Trojan]
%Temp%\6.tmp [Found to be Trojan]
%userprofile%\piufoij.exe [Found to be Worm]
%userprofile%\vpnmon\vpnmon.exe [Found to be Trojan]
[Removable Drive]:\autorun.inf [Found to be Worm]
[Removable Drive]:\naufe.exe [Found to be Worm]
[Removable Drive]:\naufex.exe [Found to be Worm]
[Removable Drive]:\piufoij.exe [Found to be Worm]

The file "autorun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

[auTOrUn]

acTion=Open folder to view files

ShELlExeCUTe=nAuFE.exE

ICON=%syStEMROoT%\SYSTEM32\shEll32.dlL,4

USEaUtoplAY=1

Also, the Downloaded file copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The Trojan creates the following folder link in Removable media:

Music
Video
Documents
Pictures

When the above mentioned folder links are clicked to open, the Trojan gets executed.

The following registry values have been added to the system:

[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
Toahea="="%userprofile%\toahea.exe /W"
[HKEY_USERS \S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
piufoij"="%userprofile%\piufoij.exe /Q"
[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
vpnmon"="%userprofile%\vpnmon\vpnmon.exe"

The above registries entries ensure that the malware executes on Windows Startup.

[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
Maxhttpredirects="0x000022B8"
enablehttp1_1=" 0x00000001"
ProxyEnable="0x00000000"

Also, the worm propagates through the following IM and social networking sites,

facebook.com
twitter.com
YahooMessenger
msnmsgr

The following files have been downloaded from the remote server and cause a DoS (Denial of Service) attack. Thus denying user from normal system activities.

%ProgramFiles%\eMule\Incoming\00001111ytytytytytytryt.wma
%ProgramFiles%\eMule\Incoming\M-Phazes-Good Gracious(2010).wma
%ProgramFiles%\eMule\Incoming\M-Project - Makina Progression 2 (2010).wma
%ProgramFiles%\eMule\Incoming\M-Swift presents 24 Carat-Blue In Black.wma
%ProgramFiles%\eMule\Incoming\Monica Mancini - The Dreams of Johnny Mercer.wma
%ProgramFiles%\eMule\Incoming\Monica Still Standing 2010.wma
%ProgramFiles%\eMule\Incoming\Monica-Still Standing-2010.wma
%ProgramFiles%\eMule\Incoming\MonicaStill Standing 2010.wma
%ProgramFiles%\eMule\Incoming\Monique - Wenn Schweigen Spricht.wma
%ProgramFiles%\eMule\Incoming\Monk - The Men Who Sleeps On His Brea (2008).wma
%ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko - How Will I Know (godlike Music Port remix).wma
%ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko - How Will I Know godlike Music Port remix.wma
%ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House (2010).wma
%ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House 2010.wma
%ProgramFiles%\eMule\Incoming\Monkeysteak - Lighthouse Dub (2006).wma
%ProgramFiles%\eMule\Incoming\Mono No Aware - Forms of Hands 10 (2010).wma
%ProgramFiles%\eMule\Incoming\Mono-Holy_Ground-NYC_Live_With_The_Wordless_Music_Orchestra-DVD-Bonus_Track-2010-hXc.wma
%ProgramFiles%\eMule\Incoming\Monobox Realm House (2010).wma
%ProgramFiles%\eMule\Incoming\Monobox Realm House 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour (2010).wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour Album (2010).wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour Album 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat. Paola - The Album 2010.wma
%ProgramFiles%\eMule\Incoming\Monokino - Human Error (2009).wma
%ProgramFiles%\eMule\Incoming\MonokleGalun - In Frame (2010).wma
%ProgramFiles%\eMule\Incoming\Monokreck_Aka_the_Scarfraver_-_Live_at_XT3_Techno_Radio_2nd_.wma
%ProgramFiles%\eMule\Incoming\Monolith Of Doom - Devastation Panorama (2009).wma
%ProgramFiles%\eMule\Incoming\Monolith Of Doom Devastation Panorama Electronic.wma
%ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient (2010).wma
%ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient 2010.wma
%ProgramFiles%\eMule\Incoming\Monomate - Grand Battle 2010.wma
%ProgramFiles%\eMule\Incoming\MonoNikitaman - Das Alles (2008).wma
%ProgramFiles%\eMule\Incoming\MonoPoly - The George Machine EP Vinyl (2009).wma
%ProgramFiles%\eMule\Incoming\Monostrip - Like A Drug (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose - Ladylike (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose - Ladylike 2010.wma
%ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop 2010.wma
%ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop 2010.wma
%ProgramFiles%\eMule\Incoming\Monstar - Usher (Raymond v Raymond).wma
%ProgramFiles%\eMule\Incoming\Monster - Lady GaGa (The Fame Monster (Deluxe Version)).wma
%ProgramFiles%\eMule\Incoming\Monster - Lady GaGa (The Fame Monster).wma
%ProgramFiles%\eMule\Incoming\Monster Magnet - Powertrip.wma
%ProgramFiles%\eMule\Incoming\Monster Movie - Everyone Is a Ghost (2010).wma
%ProgramFiles%\eMule\Incoming\Monster Movie - Everyone Is A Ghost 2010.wma
%ProgramFiles%\eMule\Incoming\Monster Tunes Winter Collection 01 (2010).wma
%ProgramFiles%\eMule\Incoming\Monsters - Various Artists (The Twilight Saga New Moon (Deluxe Version) [Original Motion Picture Soundtrack]).wma
%ProgramFiles%\eMule\Incoming\Monsters Of Folk - Monsters Of Folk 2009.wma
%ProgramFiles%\eMule\Incoming\Monsters Of Folk Monsters Of Folk(2009).wma
%ProgramFiles%\eMule\Incoming\Montag - Explorer's Club 5. Berlin-Sto (2010).wma
%ProgramFiles%\eMule\Incoming\Montana Movie (Track List).wma
%ProgramFiles%\eMule\Incoming\Monte La Rue - The End Of The Rainbow.wma
%ProgramFiles%\eMule\Incoming\Monte Montgomery - T-Bones BarGrill, Denison, TX (2010).wma
%ProgramFiles%\eMule\Incoming\Montgomery - Stromboli (2009).wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - My Town (2002).wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - Something to be proud Of (2005.wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - Something to be proud Of 2005.wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - TattoosScars (1999).wma
%ProgramFiles%\eMule\Incoming\Month of May - Arcade Fire (The Suburbs).wma
%ProgramFiles%\eMule\Incoming\Montrose - Montrose 1973.wma
%ProgramFiles%\eMule\Incoming\Monzano - By This Time Last Year Everything Will Seem Younger 2010.wma
%ProgramFiles%\eMule\Incoming\Moodorama - Listen (2003).wma
%ProgramFiles%\eMule\Incoming\Moodorama - Listen 2003.wma
%ProgramFiles%\eMule\Incoming\Moodswing Identity Crisis Hip-Hop 2002.wma
%ProgramFiles%\eMule\Incoming\Moody - Music People - the Dancer (Vin (2009).wma
%ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House (2010).wma
%ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House 2010.wma
%ProgramFiles%\eMule\Incoming\Moon DevilS Return Black Metal 2010.wma

The following folders have been added to the system.

%userprofile%\vpnmon
%ProgramFiles%\eMule
%ProgramFiles%\eMule\Incoming

[Where %Temp% is the Temp Directory, %userprofile% - C:\Documents and Settings\[UserName], %ProgramFiles% - C:\Program Files ]

Symptoms

Presence of above mentioned files, registry entries and activities.
Presence of unexpected connection to the above mentioned sites.

-------Update : July 16, 2010-----------------------

File Information

MD5 - 2F3FB561A85EE31EEF9E3E2868B78A15
SHA - 82CDC87C6294B97970ECBCCF64BA03616C6DE45D

Aliases

NOD32 - Win32/Agent.NEC
Microsoft - Trojan:Win32/Folstart.A
Ikarus - Trojan.Win32.Agent2
Kaspersky - Trojan.Win32.Agent2.ldt

When executed, the Worm copies itself into the following location:

%USERPROFILE%\Local Settings\Application Data\Start\update.exe [Detected as W32/Autorun.worm!kc]
[Removable Drive]:\[Random Name].exe [Detected as W32/Autorun.worm!kc]

The worm copies into the root of all removable drives in the names of the existing folders in the particular drive.

The following folders have been added into the system:

[Removable Drive]:\Usb 2.0 Driver\ S-1-5-31-1286970278978-5713669491-166975984-320\dmc
[Removable Drive]:\Usb 2.0 Driver\ S-1-5-31-1286970278978-5713669491-166975984-320\tlsr

The above mentioned folders are hidden folders created by the worm.

The following registry values have been added.

Below mentioned registry ensures that, the worm executes the processes in the start folder on every windows boot.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\]
�Startup� = "%UserProfile%\Local Settings\Application Data\Start"

The following registry values have been modified.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
Hidden = 0x00000002
[HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
HideFileExt: 0x00000001

The above mentioned registry entry confirms that the Worm hides the extension of files present in the system.

The following Mutex object has been created to ensure only one instance of the worm is running at a time.

LDLLMAIN

Note:-

[%UserProfile% is c:\Documents and Settings\Administrator\]

----------------------Update : June 30, 2010-----------------------

File Information:

md5: E23CDAFC14DDC945FBFDC25D97DAB934

When executed, the Worm copies itself into the following locations:

%WinDir%\h2s.exe
%WinDir%\nacl.exe
%WinDir%\userinit.exe
%winDir%\SYSTEM\lsass.exe

Modifies hosts file located at:

%WinDir%\System32\drivers\etc\hosts (Detected as QHosts-24)

Worm creates a run entry for one of its copy

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"pikachu" = "C:\WINDOWS\nacl.exe"

The following registry values have been modified

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�Hidden:� = �0x00000002�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�HideFileExt:� = � 0x00000001�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�SuperHidden:� = � 0x00000000�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�ShowSuperHidden:� = �0x00000000�

The above mentioned registry entry confirms that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

It disables taskmanager and command prompt.

The worm connects to the following domains:
cmdcmd[removed].php0h.com
web[removed].com

-------Update : June 28, 2010-----------------------

File Information

MD5 - 0897569F060F311E3A583AB790E46CC5
SHA - 78CE615C24026024A2A288FBDFBE001D998B53D6

Aliases

Ikarus - Virus.Win32.Agent.SIM
Kaspersky - Trojan-Downloader.Win32.Losabel.zo
Microsoft - Worm:Win32/Autorun.DN
NOD32 - a variant of Win32/AutoRun.ED

When executed, the Worm copies itself into the following locations:

%WinDir%\system32\dream.exe [Hidden] [Detected as W32/Autorun.worm.n]
%SystemDrive%\sbl.exe [Hidden] [Detected as W32/Autorun.worm.n]

And drops the following files

%SystemDrive%\autorun.inf [Hidden] [Detected as Generic!atr]
%WinDir%\system32\1.inf [Hidden] [Detected as Generic!atr]
%WinDir%\system32\plmmsbl.dll [Non malicious file which is a copy of urlmon.dll]

It drops the autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The following registry values have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\]
�melove� = �%WinDir%\System32\dream.exe�
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\]
�dream� = �%WinDir%\System32\dream.exe�

The above mentioned registries ensures that the Worm registers itself with the compromised system and executes itself upon every boot.

Once the users system is compromised the worm looks for the following security software and terminates them accordingly.

360tray
360safe
Kaspersky
Nod32

The worm downloads other malicious files from the following site.

http://sae123.[removed].com/1/home1.html

Also, the worm executes the following command to disable the windows firewall.

cmd.exe /c net stop sharedaccess

The worm creates the following mutex as to ensure that only one instance of the Worm can run on a computer at any time.

mylovegirlsbl

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive%\ is c:\]

-----------------------------------------Update : May 19, 2010---------------------------------------------------

File Information

MD5 - 8F0D1AA84866DC4EFAE80F4798E7D1ED
SHA - E02AA615982C9A9739688051EFB92A4C12D668D5

Aliases

Symantec - w32.SillyFDC
Microsoft - Worm:Win32/Autorun.WT
Ikarus - Worm.Win32.AutoRun

This Worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

When executed, the worm copies itself into the following location

%SystemDrive%\RECYCLER\X-1-(Varies)\WinSysApp.exe (Hidden)
%SystemDrive% \Program Files\Windows Common Files\Commgr.exe (Hidden)
%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe (Hidden)

Note :- The above mentioned "Program Files" folder is a hidden folder created by the worm.This hidden folder will have an additional space to differentiate with the original "Program Files" folder.

The following registry values have been added to the system

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"WindowMessenger:" = "%SystemDrive% \RECYCLER\X-1-(Varies)\WinSysApp.exe"
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Windows Alerter:" = "%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Windows Common Files Manager:" = "%SystemDrive% \Program Files\Windows Common Files\Commgr.exe"
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"WindowMessenger:" = "%SystemDrive% \RECYCLER\X-1-(Varies)\WinSysApp.exe"
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"Windows Alerter:" = "%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe"
[KEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"Windows Common Files Manager:" = "%SystemDrive%\Program Files\Windows Common Files\Commgr.exe"

The above mentioned registry entry confirms that, the worm executes every time when windows starts.

The following registry values have been modified

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�Hidden:� = �0x00000002�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�HideFileExt:� = � 0x00000001�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�SuperHidden:� = � 0x00000000�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�ShowSuperHidden:� = �0x00000000�

The above mentioned registry entry confirms that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

Once the users system is compromised, the worm looks for the removable drives. If found, the worm copies itself into the following location

[Removable Drive]:\RECYCLER\OmEkZdL.exe

And drops the following file

[Removable Drive]:\Autorun.inf

This worm spreads, when the user inserts the infected removable drive into another system and also spreads by copying itself into the removable drive with the existing folder names and changes the attribute of the existing folders in order to hide them.

Note :- [%SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------------------------------Updated, April 14, 2010---------------------------------------------

File Information:

MD5 - D3BB87D3F2FE35E18B25F3B4DF073F29
SHA1 - 4225CFAF32D8EA4EA7AA70F83FBC3EBB0C7C0EAF

Aliases:

BitDefender - Win32.Worm.AutoIT.CR
F-Secure - Win32.Worm.AutoIT.CR
Kaspersky - Trojan.Win32.Autoit.aak
Microsoft - Worm:AutoIt/Zixsub.A

Characteristics:

W32Autorun.worm.c attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically if systems which use the removable drive are set to Autorun.

The following registry entries have been deleted:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]

"NoDriveTypeAutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]

"NoDriveTypeAutorun"

The above mentioned registry values that can be used to persistently disable AutoRun: NoDriveAutoRun and NoDriveTypeAutoRun. The first value disables AutoRun for specified drive letters and the second disables AutoRun for a class of drives. If either of these values is set to disable AutoRun for a particular device, it will be disabled.

The worm deletes the above mentioned registry entries which ensures that the worm is executed even if the autorun feature is disabled in any given system.

The following registry entry has been added:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

"Hidden", "REG_DWORD", "2"

The above mentioned registry confirms that the malware binary hides itself from the compromised user.

The malware binary kills some of the security related softwares when the user tries to access those, some of them are as follows:

tcpview.exe
wireshark.exe
netstat.exe

The malware binary connects to whatismyip.com and checkip.dyndns.org to get the compromises user IP address and stores that information in the temp file and send that information to the remote attacker through IRC channels.

When executed the malware binary connects to the following site:

irc.u[removed].com

The following registry entry has been added to the compromised user system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

59w6ohet2krtfjx.exe: "%WinDir%\59w6ohet2krtfjx.exe"

The above mentioned registry entry confirms that the malware binary is executed every time the system boots.

The malware binary copies itself to the following system location:

%WinDir%\59w6ohet2krtfjx.exe

The below mentioned screenshot confirms that, the malware binary attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.

These are the defaults for typical path variables. (Although they may differ, these are common examples):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = \Program Files, %SystemDrive% = Driver in which the Operating System is installed mostly C:\

---------------------------------------------------------------------------------------------------------------------

W32/Autorun.worm.c is worm that may propagate via removable drives or network shares.

Upon execution, a variant of W32/Autorun.worm.c virus copies itself to :

%WinDir%\system32\drivers\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.).

It drops the following file:

%User_Profile%\Local Settings\Temp\rs.bat

(where %User_Profile% is the default profile folder for the current user, for example C:\Documents and Settings\Administrator if the current user is Administrator.)

It changes the setting of Windows AutoUpdate Service to the following values:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent\: 0x00000011
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Type: 0x00000110
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ErrorControl: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ImagePath: "%SystemRoot%\system32\drivers\svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Description: "??????? Windows ???????????,???????? Windows Update ??????????"

And it also deletes the following registry key:

HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll: "%WinDir%\System32\wuauserv.dll"

The virus may propagate via network shares or removable drives by dropping an autorun.inf file and its copy.

Symptoms

-registry keys described above

-dropped files described above

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants

N/A

All Information

Overview -

W32/Autorun.worm.c is worm that may propagate via removable drives or network shares.

Aliases

Worm.Win32.Agent.zln

Worm.Win32.AutoRun.crv

Characteristics

Characteristics -

-- Updated on June 28, 2011 ----------

File Information �

MD5 - b63e4faa54539c89186fab5762063025
SHA1 - 11dff2955414926a5f1deb8f3e742b11d8e292bd

Aliases �

F-Secure - Win32.Worm.Rimecud.AZ
Kaspersky - Worm.Win32.AutoRun.card
Microsoft - Worm:Win32/Verst.B
Symantec -W32.Pilleuz!gen25

"W32/Autorun.Worm.C" is a worm that spreads via network drives and downloads malicious files from the remote machine. This worm may also attempt to steal sensitive information such as passwords.

This worm has been distributed as a file that uses the Windows Explorer file icon. Upon execution, the worm opens an Explorer window in order to mask its actions from the infected user.

The worm contains autorun capabilities and the executable can be dropped into the root of network or removable drives along with an autorun.inf file.

Upon execution, the Worm copies itself into following location and connects to the IP address 83.229.[removed] through remote port 80 to download other malicious files.

%AllUsersProfile%\Application Data\Acdelco-Local.exe [hidden] [Detected as W32/Autorun.worm.c]
%AllUsersProfile%\Application Data\sdata.dll [Detected as Downloader-CML]
%AllUsersProfile%\Application Data\set.dat
%AllUsersProfile%\Application Data\task.dat

Also it connects to the following sites:

hxxp://vest[removed].freehostia.com
hxxp://psyn[removed].dk/data
hxxp://ku[removed].ru/data
hxxp://s-[removed].ru/data
hxxp://ed[removed].ru/data

The worm contacts the following domains to download files that contain configuration information:

freehostia.com
110mb.com
x10hosting.com
awardspace.com
exofire.net
hostei.com
orgfree.com
h18.ru
eu.pn

This configuration file contains attacker-specified locations from which the worm is directed to download and execute random files.

The dropped dll hooks the following System APIs to redirect to its own code to hide its presence on the infected computer:

ZwQueryDirectoryFile
ZwQuerySystemInformation
ZwOpenProcess

The following registry key has been added

HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn

The following registry values have been added

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Srtserv = "%AllUsersProfile%\Application Data\Acdelco-Local.exe"

The above registry entry confirms that, the Worm executes every time when windows starts

HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn\
value1 = "Acdelco-Local.exe"
HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\MSrtn\
value2 = 0x00000E08

It creates the following mutex, to ensure only one instance of worm executed at a time

YCS0mRtQ316

The following hidden folder has been added to the system

%UserProfile%\Desktop\Acdelco-Local

After execution, the source Worm file gets deleted from the system

[Note: %AllUsersProfile% - C:\Documents and Settings\All Users,
%UserProfile% - C:\Documents and Settings\[User Name]

--------

--Updated on June 09, 2011 ----------

File Information

MD5 - 0C3E086CC46D73CDE78811F85DA77E24
SHA - BFEF2DD67A1D466949C35C5FBF72DACB84EEACDC

Aliases

Kaspersky - Worm.Win32.VB.abk
NOD32 - Win32/AutoRun.VB.SA
TrendMicro - WORM_PALEVO.SML
Microsoft - Worm:Win32/Autorun.LD

Upon execution the copies itself into the following location:

%Windir%\inf\ssvhost.exe
:[Removable Drive]:\ssvhost.exe

And drop the following files:

:[Removable Drive]:\autorun.inf

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The autorun.inf is configured to launch the trojan file via the following command syntax.

[AutoRun]
open=ssvhost.exe
shellexecute = ssvhost.exe
shell\0pen\command=ssvhost.exe
shell=0pen

It uses the windows "Folder Icon" as its icon. This is to trick users into opening it, effectively executing the worm.

When the above mentioned files are clicked to open, the Worm gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry key has been added to the system.

HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Toolbar\Explorer
HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

The following registry value has been added.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
�SystemHealth� = �%Windir%\inf\ssvhost.exe�

The above mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

-------------------------------------------------------------------------------------------------------

-----------------Update: March08, 2011------------------------------

File Information

MD5 - 0394E365287928314975D0DA9FF5D4A9
SHA1 - 2339EB886AE78D050B3D6B9B36B93DEA0E56CAF4

Aliases

Kaspersky - Worm.Win32.Agent.abf
Microsoft - Worm:Win32/Autorun.WW
NOD32 - Win32/AutoRun.Agent.VV
Norman - W32/Obfuscated.H3!genr

Upon execution the Worm copies itself into the following location:

%WinDir%\system32\framebufb.exe
%Systemdrive%\Nueva_carpetaa.exe

The following registry keys have been added to the system:

HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_USERS\S-1-5[varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel
HKEY_USERS\S-1-5[varies]\Software\Win Album

The following registry values have been added to the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WindowsCMD = ""%WinDir%\System32\framebufb.exe" primary"
[HKEY_USERS\S-1-5[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001
[HKEY_USERS\S-1-5[varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel]
Homepage = 0x00000001
[HKEY_USERS\S-1-5[varies]\Software\Win Album]
value = "framebufb"

The following registry values have been modified:

[HKEY_CURRENT_USER\S-1-5[varies]\Software\Microsoft\Internet Explorer\Main]
Start Page = http://www.[removed]oft.com/isapi/redir.dll?prd=ie&pver=6&ar=[removed]nhome
Start Page = "http://www.[removed]ps.com/?

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive%\ is c:\]

-----------------------------------------------------------------

-------Update: February 11, 2011-------------------

Some new variants will spread copying themselves to removable drives and shared drives
by using the following file structures:

X:\Early\life\DesKTop.ini
X:\Early\life\UpDaTe.exe

where X is the drive letter.

The autorun.inf file contains the following phrase:

;Starting at age 14 he became a great fan of The Beatles.

This worm will also try to connect to the following websites:

acc53v3n.selfip.biz
accf1v3.servebbs.com
acc7w0.podzone.org

-------Update: September 10, 2010-------------------

File Information

MD5: EF7EC8B8C997973FA0C57E0BA6EB5AD0
SHA: D89F289F802348774C9AD456BA5A1F3B982DA0FC

Aliases

Microsoft: ~Worm:Win32/VB.FT
Avira: Worm/VB.atg
Kaspersky: Virus.Win32.Folcom.b

Characteristics -

"W32/Autorun.worm.c" is a worm written in VB, which may propagate via removable drives or network shares.

Upon execution the Worm copies itself into the following locations:

%SYSTEMDRIVE%\fun.xls.exe
%ProgramFiles%\EXPLORER.EXE

And it drops the following file:

%SYSTEMDRIVE%\Autorun.inf

Also, the Worm copies itself with the existing folder names and changes the attribute of the existing folders.

%SYSTEMDRIVE%\Documents and Settings.exe
%SYSTEMDRIVE%\Program Files.exe
%SYSTEMDRIVE%\WINDOWS.exe

When the above mentioned files are clicked to open, the Worm gets executed at the background and at the same time it also opens the corresponding original folder for the user view.

The following registry keys have been added to the system:

HKEY_USERS\S-1-(Varies)\Software\VB and VBA Program Settings\ShitMaker
HKEY_USERS\S-1-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info

The following registry values have been added to the system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
NeverShowExt = ""

The above mentioned registry entry hides the file extension.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
FolderRaper ="%SystemDrive%\XXX.exe"

[Note: Where XXX is an existing folder name in C:\ Drive]

The above mentioned registry confirms that the Worm executes on every system boot.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools ="0x00000001"
DisableTaskMgr ="0x00000001"

The above mentioned registry confirms that the worm disables Task Manager and Registry tools.

[HKEY_USERS\S-1-5-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info\]
ActivedEXE= "%ProgramFiles%\EXPLORER.exe"
[HKEY_USERS\S-1-5-(Varies)\Software\VB and VBA Program Settings\ShitMaker\Info\]
LastStartTime= "09-09-2010 5:53:53 PM"

The Worm captures the Date and Time of Last execution and restores any changes in the registry made by the user (Restores to original value created by the worm).

The worm may display "FlashWindow" with the following annoying messages:

yourbossishere!
notimeforfun!
showmeyourbody!
whatisyou?
whoisyourmaster?

The worm allows the attacker to take complete control over the system and performs the backdoor activity with the following commands.

SilencePassword
ChangeFolder
StopPassword
SuperGlasses
BrokeGlasses

[Note : %SystemDrive% - Where %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers), %ProgramFiles% - C:\Program Files.]

-------Update: September 1, 2010-------------------

File Information

MD5 - 96CB01A57179810808085155EFB44395
SHA - 6EB326C2929CE4849927530C53C6A22EA2CBB126

Aliases

Kaspersky - Worm.Win32.AutoRun.gvy
NOD32 - a variant of Win32/AutoRun.Agent.UI
Ikarus - Worm.Win32.AutoRun
Microsoft - Worm:Win32/Hilgild!gen.A

Upon execution the Trojan copies itself into the following locations:

%Appdata%\wmimgmt.exe [Detected as Generic.dx!tqh]
[Removable Drive]:\RECYCLER\wmimgmt.exe [Hidden] [Detected as Generic.dx!tqh]

And drop the following files:

%Temp%\ifd10.tmp
%Temp%\54B65DC7.db
%Temp%\tmp~ghi.log
%Userprofile%\DRM\Media\54B65DC7.db
[Removable Drive]:\AuToRUn.iNf [Hidden]
[Removable Drive]:\RECYCLER\desktop.ini

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes:

Also, the Trojan copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The following registry key has been added to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent

The following registry value has been added

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt: ""

The above mentioned registry entry hides the file extension.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"wmi32" = "%Appdata%\wmimgmt.exe"

The above mentioned registry entry confirms that the Trojan executes on every system boots.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\]
TrapPollTimeMilliSecs: 0x00003A98

The following registry values have been modified.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\]
�UncheckedValue� = �0x00000000�
[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�SuperHidden� = �0x00000000�
[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�ShowSuperHidden� = �0x00000000�

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

----------------------------------------------------

-------Update: August 21, 2010-------------------

File Information

MD5 : 1B1192D4C84DABB0E1E01DC4D06B013A
SHA : 6E569AE7698DA62C5B0466C9D16CC57E666F7C8C

Aliases

AVG: Worm/VB.BDBS
Symantec: W32.Changeup!gen6
NOD32: Win32/AutoRun.VB.SL

"W32/Autorun.worm.c" is worm that may propagate via removable drives or network shares. Also, it is designed to download malicious files from websites controlled by the malware author.

When executed, the Trojan connects to the following websites to download malicious file from the remote server.

ns1.vi[removed]hares.com using remote port 8000
ns1.pla[removed]523.com using remote port 8000

And the following sites use the remote port 80.

ns1.vi[removed]res.com
78.[removed].122
109.[removed].42
78.[removed].122
http://www.vide[removed]net/?media=u7xrTq&embedded=false

The following files have been added to the system:

%Temp%\4.tmp [Found to be Trojan]
%Temp%\6.tmp [Found to be Trojan]
%userprofile%\piufoij.exe [Found to be Worm]
%userprofile%\vpnmon\vpnmon.exe [Found to be Trojan]
[Removable Drive]:\autorun.inf [Found to be Worm]
[Removable Drive]:\naufe.exe [Found to be Worm]
[Removable Drive]:\naufex.exe [Found to be Worm]
[Removable Drive]:\piufoij.exe [Found to be Worm]

[auTOrUn]

acTion=Open folder to view files

ShELlExeCUTe=nAuFE.exE

ICON=%syStEMROoT%\SYSTEM32\shEll32.dlL,4

USEaUtoplAY=1

Also, the Downloaded file copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.

The Trojan creates the following folder link in Removable media:

Music
Video
Documents
Pictures

When the above mentioned folder links are clicked to open, the Trojan gets executed.

The following registry values have been added to the system:

[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
Toahea="="%userprofile%\toahea.exe /W"
[HKEY_USERS \S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
piufoij"="%userprofile%\piufoij.exe /Q"
[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
vpnmon"="%userprofile%\vpnmon\vpnmon.exe"

The above registries entries ensure that the malware executes on Windows Startup.

[HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
Maxhttpredirects="0x000022B8"
enablehttp1_1=" 0x00000001"
ProxyEnable="0x00000000"

Also, the worm propagates through the following IM and social networking sites,

facebook.com
twitter.com
YahooMessenger
msnmsgr

The following files have been downloaded from the remote server and cause a DoS (Denial of Service) attack. Thus denying user from normal system activities.

%ProgramFiles%\eMule\Incoming\00001111ytytytytytytryt.wma
%ProgramFiles%\eMule\Incoming\M-Phazes-Good Gracious(2010).wma
%ProgramFiles%\eMule\Incoming\M-Project - Makina Progression 2 (2010).wma
%ProgramFiles%\eMule\Incoming\M-Swift presents 24 Carat-Blue In Black.wma
%ProgramFiles%\eMule\Incoming\Monica Mancini - The Dreams of Johnny Mercer.wma
%ProgramFiles%\eMule\Incoming\Monica Still Standing 2010.wma
%ProgramFiles%\eMule\Incoming\Monica-Still Standing-2010.wma
%ProgramFiles%\eMule\Incoming\MonicaStill Standing 2010.wma
%ProgramFiles%\eMule\Incoming\Monique - Wenn Schweigen Spricht.wma
%ProgramFiles%\eMule\Incoming\Monk - The Men Who Sleeps On His Brea (2008).wma
%ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko - How Will I Know (godlike Music Port remix).wma
%ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko - How Will I Know godlike Music Port remix.wma
%ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House (2010).wma
%ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House 2010.wma
%ProgramFiles%\eMule\Incoming\Monkeysteak - Lighthouse Dub (2006).wma
%ProgramFiles%\eMule\Incoming\Mono No Aware - Forms of Hands 10 (2010).wma
%ProgramFiles%\eMule\Incoming\Mono-Holy_Ground-NYC_Live_With_The_Wordless_Music_Orchestra-DVD-Bonus_Track-2010-hXc.wma
%ProgramFiles%\eMule\Incoming\Monobox Realm House (2010).wma
%ProgramFiles%\eMule\Incoming\Monobox Realm House 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour (2010).wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour Album (2010).wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola - Soul Glamour Album 2010.wma
%ProgramFiles%\eMule\Incoming\Monodeluxe feat. Paola - The Album 2010.wma
%ProgramFiles%\eMule\Incoming\Monokino - Human Error (2009).wma
%ProgramFiles%\eMule\Incoming\MonokleGalun - In Frame (2010).wma
%ProgramFiles%\eMule\Incoming\Monokreck_Aka_the_Scarfraver_-_Live_at_XT3_Techno_Radio_2nd_.wma
%ProgramFiles%\eMule\Incoming\Monolith Of Doom - Devastation Panorama (2009).wma
%ProgramFiles%\eMule\Incoming\Monolith Of Doom Devastation Panorama Electronic.wma
%ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient (2010).wma
%ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient 2010.wma
%ProgramFiles%\eMule\Incoming\Monomate - Grand Battle 2010.wma
%ProgramFiles%\eMule\Incoming\MonoNikitaman - Das Alles (2008).wma
%ProgramFiles%\eMule\Incoming\MonoPoly - The George Machine EP Vinyl (2009).wma
%ProgramFiles%\eMule\Incoming\Monostrip - Like A Drug (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose - Ladylike (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose - Ladylike 2010.wma
%ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop 2010.wma
%ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop (2010).wma
%ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop 2010.wma
%ProgramFiles%\eMule\Incoming\Monstar - Usher (Raymond v Raymond).wma
%ProgramFiles%\eMule\Incoming\Monster - Lady GaGa (The Fame Monster (Deluxe Version)).wma
%ProgramFiles%\eMule\Incoming\Monster - Lady GaGa (The Fame Monster).wma
%ProgramFiles%\eMule\Incoming\Monster Magnet - Powertrip.wma
%ProgramFiles%\eMule\Incoming\Monster Movie - Everyone Is a Ghost (2010).wma
%ProgramFiles%\eMule\Incoming\Monster Movie - Everyone Is A Ghost 2010.wma
%ProgramFiles%\eMule\Incoming\Monster Tunes Winter Collection 01 (2010).wma
%ProgramFiles%\eMule\Incoming\Monsters - Various Artists (The Twilight Saga New Moon (Deluxe Version) [Original Motion Picture Soundtrack]).wma
%ProgramFiles%\eMule\Incoming\Monsters Of Folk - Monsters Of Folk 2009.wma
%ProgramFiles%\eMule\Incoming\Monsters Of Folk Monsters Of Folk(2009).wma
%ProgramFiles%\eMule\Incoming\Montag - Explorer's Club 5. Berlin-Sto (2010).wma
%ProgramFiles%\eMule\Incoming\Montana Movie (Track List).wma
%ProgramFiles%\eMule\Incoming\Monte La Rue - The End Of The Rainbow.wma
%ProgramFiles%\eMule\Incoming\Monte Montgomery - T-Bones BarGrill, Denison, TX (2010).wma
%ProgramFiles%\eMule\Incoming\Montgomery - Stromboli (2009).wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - My Town (2002).wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - Something to be proud Of (2005.wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - Something to be proud Of 2005.wma
%ProgramFiles%\eMule\Incoming\Montgomery Gentry - TattoosScars (1999).wma
%ProgramFiles%\eMule\Incoming\Month of May - Arcade Fire (The Suburbs).wma
%ProgramFiles%\eMule\Incoming\Montrose - Montrose 1973.wma
%ProgramFiles%\eMule\Incoming\Monzano - By This Time Last Year Everything Will Seem Younger 2010.wma
%ProgramFiles%\eMule\Incoming\Moodorama - Listen (2003).wma
%ProgramFiles%\eMule\Incoming\Moodorama - Listen 2003.wma
%ProgramFiles%\eMule\Incoming\Moodswing Identity Crisis Hip-Hop 2002.wma
%ProgramFiles%\eMule\Incoming\Moody - Music People - the Dancer (Vin (2009).wma
%ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House (2010).wma
%ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House 2010.wma
%ProgramFiles%\eMule\Incoming\Moon DevilS Return Black Metal 2010.wma

The following folders have been added to the system.

%userprofile%\vpnmon
%ProgramFiles%\eMule
%ProgramFiles%\eMule\Incoming

[Where %Temp% is the Temp Directory, %userprofile% - C:\Documents and Settings\[UserName], %ProgramFiles% - C:\Program Files ]

Symptoms

Presence of above mentioned files, registry entries and activities.
Presence of unexpected connection to the above mentioned sites.

-------Update : July 16, 2010-----------------------

File Information

MD5 - 2F3FB561A85EE31EEF9E3E2868B78A15
SHA - 82CDC87C6294B97970ECBCCF64BA03616C6DE45D

Aliases

NOD32 - Win32/Agent.NEC
Microsoft - Trojan:Win32/Folstart.A
Ikarus - Trojan.Win32.Agent2
Kaspersky - Trojan.Win32.Agent2.ldt

When executed, the Worm copies itself into the following location:

%USERPROFILE%\Local Settings\Application Data\Start\update.exe [Detected as W32/Autorun.worm!kc]
[Removable Drive]:\[Random Name].exe [Detected as W32/Autorun.worm!kc]

The worm copies into the root of all removable drives in the names of the existing folders in the particular drive.

The following folders have been added into the system:

[Removable Drive]:\Usb 2.0 Driver\ S-1-5-31-1286970278978-5713669491-166975984-320\dmc
[Removable Drive]:\Usb 2.0 Driver\ S-1-5-31-1286970278978-5713669491-166975984-320\tlsr

The above mentioned folders are hidden folders created by the worm.

The following registry values have been added.

Below mentioned registry ensures that, the worm executes the processes in the start folder on every windows boot.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\]
�Startup� = "%UserProfile%\Local Settings\Application Data\Start"

The following registry values have been modified.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
Hidden = 0x00000002
[HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
ShowSuperHidden = 0x00000000

The above mentioned registry entries confirms that the Trojan prevents the compromised user to view the hidden files and folders in the system.

[HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
HideFileExt: 0x00000001

The above mentioned registry entry confirms that the Worm hides the extension of files present in the system.

The following Mutex object has been created to ensure only one instance of the worm is running at a time.

LDLLMAIN

Note:-

[%UserProfile% is c:\Documents and Settings\Administrator\]

----------------------Update : June 30, 2010-----------------------

File Information:

md5: E23CDAFC14DDC945FBFDC25D97DAB934

When executed, the Worm copies itself into the following locations:

%WinDir%\h2s.exe
%WinDir%\nacl.exe
%WinDir%\userinit.exe
%winDir%\SYSTEM\lsass.exe

Modifies hosts file located at:

%WinDir%\System32\drivers\etc\hosts (Detected as QHosts-24)

Worm creates a run entry for one of its copy

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

"pikachu" = "C:\WINDOWS\nacl.exe"

The following registry values have been modified

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�Hidden:� = �0x00000002�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�HideFileExt:� = � 0x00000001�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�SuperHidden:� = � 0x00000000�

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

�ShowSuperHidden:� = �0x00000000�

The above mentioned registry entry confirms that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

It disables taskmanager and command prompt.

The worm connects to the following domains:
cmdcmd[removed].php0h.com
web[removed].com

-------Update : June 28, 2010-----------------------

File Information

MD5 - 0897569F060F311E3A583AB790E46CC5
SHA - 78CE615C24026024A2A288FBDFBE001D998B53D6

Aliases

Ikarus - Virus.Win32.Agent.SIM
Kaspersky - Trojan-Downloader.Win32.Losabel.zo
Microsoft - Worm:Win32/Autorun.DN
NOD32 - a variant of Win32/AutoRun.ED

When executed, the Worm copies itself into the following locations:

%WinDir%\system32\dream.exe [Hidden] [Detected as W32/Autorun.worm.n]
%SystemDrive%\sbl.exe [Hidden] [Detected as W32/Autorun.worm.n]

And drops the following files

%SystemDrive%\autorun.inf [Hidden] [Detected as Generic!atr]
%WinDir%\system32\1.inf [Hidden] [Detected as Generic!atr]
%WinDir%\system32\plmmsbl.dll [Non malicious file which is a copy of urlmon.dll]

It drops the autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The following registry values have been added to the system.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\]
�melove� = �%WinDir%\System32\dream.exe�
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\]
�dream� = �%WinDir%\System32\dream.exe�

The above mentioned registries ensures that the Worm registers itself with the compromised system and executes itself upon every boot.

Once the users system is compromised the worm looks for the following security software and terminates them accordingly.

360tray
360safe
Kaspersky
Nod32

The worm downloads other malicious files from the following site.

http://sae123.[removed].com/1/home1.html

Also, the worm executes the following command to disable the windows firewall.

cmd.exe /c net stop sharedaccess

The worm creates the following mutex as to ensure that only one instance of the Worm can run on a computer at any time.

mylovegirlsbl

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive%\ is c:\]

-----------------------------------------Update : May 19, 2010---------------------------------------------------

File Information

MD5 - 8F0D1AA84866DC4EFAE80F4798E7D1ED
SHA - E02AA615982C9A9739688051EFB92A4C12D668D5

Aliases

Symantec - w32.SillyFDC
Microsoft - Worm:Win32/Autorun.WT
Ikarus - Worm.Win32.AutoRun

This Worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.

When executed, the worm copies itself into the following location

%SystemDrive%\RECYCLER\X-1-(Varies)\WinSysApp.exe (Hidden)
%SystemDrive% \Program Files\Windows Common Files\Commgr.exe (Hidden)
%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe (Hidden)

Note :- The above mentioned "Program Files" folder is a hidden folder created by the worm.This hidden folder will have an additional space to differentiate with the original "Program Files" folder.

The following registry values have been added to the system

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"WindowMessenger:" = "%SystemDrive% \RECYCLER\X-1-(Varies)\WinSysApp.exe"
[KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Windows Alerter:" = "%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"Windows Common Files Manager:" = "%SystemDrive% \Program Files\Windows Common Files\Commgr.exe"
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"WindowMessenger:" = "%SystemDrive% \RECYCLER\X-1-(Varies)\WinSysApp.exe"
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"Windows Alerter:" = "%SystemDrive% \Program Files\Windows Alerter\WinAlert.exe"
[KEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
"Windows Common Files Manager:" = "%SystemDrive%\Program Files\Windows Common Files\Commgr.exe"

The above mentioned registry entry confirms that, the worm executes every time when windows starts.

The following registry values have been modified

[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�Hidden:� = �0x00000002�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�HideFileExt:� = � 0x00000001�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�SuperHidden:� = � 0x00000000�
[HKEY_USERS\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
�ShowSuperHidden:� = �0x00000000�

The above mentioned registry entry confirms that, the worm hides the file extension and prevents the compromised user to view the hidden files and folders.

Once the users system is compromised, the worm looks for the removable drives. If found, the worm copies itself into the following location

[Removable Drive]:\RECYCLER\OmEkZdL.exe

And drops the following file

[Removable Drive]:\Autorun.inf

Note :- [%SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-----------------------------------------Updated, April 14, 2010---------------------------------------------

File Information:

MD5 - D3BB87D3F2FE35E18B25F3B4DF073F29
SHA1 - 4225CFAF32D8EA4EA7AA70F83FBC3EBB0C7C0EAF

Aliases:

BitDefender - Win32.Worm.AutoIT.CR
F-Secure - Win32.Worm.AutoIT.CR
Kaspersky - Trojan.Win32.Autoit.aak
Microsoft - Worm:AutoIt/Zixsub.A

Characteristics:

W32Autorun.worm.c attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically if systems which use the removable drive are set to Autorun.

The following registry entries have been deleted:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]

"NoDriveTypeAutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]

"NoDriveTypeAutorun"

The worm deletes the above mentioned registry entries which ensures that the worm is executed even if the autorun feature is disabled in any given system.

The following registry entry has been added:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]

"Hidden", "REG_DWORD", "2"

The above mentioned registry confirms that the malware binary hides itself from the compromised user.

The malware binary kills some of the security related softwares when the user tries to access those, some of them are as follows:

tcpview.exe
wireshark.exe
netstat.exe

When executed the malware binary connects to the following site:

irc.u[removed].com

The following registry entry has been added to the compromised user system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

59w6ohet2krtfjx.exe: "%WinDir%\59w6ohet2krtfjx.exe"

The above mentioned registry entry confirms that the malware binary is executed every time the system boots.

The malware binary copies itself to the following system location:

%WinDir%\59w6ohet2krtfjx.exe

These are the defaults for typical path variables. (Although they may differ, these are common examples):

---------------------------------------------------------------------------------------------------------------------

W32/Autorun.worm.c is worm that may propagate via removable drives or network shares.

Upon execution, a variant of W32/Autorun.worm.c virus copies itself to :

%WinDir%\system32\drivers\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.).

It drops the following file:

%User_Profile%\Local Settings\Temp\rs.bat

(where %User_Profile% is the default profile folder for the current user, for example C:\Documents and Settings\Administrator if the current user is Administrator.)

It changes the setting of Windows AutoUpdate Service to the following values:

And it also deletes the following registry key:

HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ServiceDll: "%WinDir%\System32\wuauserv.dll"

The virus may propagate via network shares or removable drives by dropping an autorun.inf file and its copy.

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content