McAfee > Theat Center > Virus Detail Page

Overview

-- Update January 14, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.channelregister.co.uk/2008/01/11/malware_digital_devices/

--

W32/Autorun.worm.e modifies registry keys to prevent some Windows Services from starting and prevent Explorer from viewing hidden files.

Aliases

• Win32/Mocmex.AM (CA)

• WORM_AGENT.TBH (TrendMicro)

Characteristics

-- Update January 14, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.channelregister.co.uk/2008/01/11/malware_digital_devices/

--

A recent variant of W32/Autorun.worm.e was found distributed through digital photo frames that were sold in the market during the 2007 holiday season. This variant was previously detected as Generic.dx in the 5201 DATs in all products.

W32/Autorun.worm.e modifies registry keys to prevent some Windows Services from starting and prevent Explorer from viewing hidden files.

It will kill processes with the following strings in the titlebar:

• :\ - WinRAR
• System
• Microsoft Shared
• Process
• Virus
• Trojan

It will connect to the following URLs to download more malware:

• http://qq.520sf.org/yj/[removed].txt
• http://www.5460w.cn/xzz/[remove].exe

Deletes the following registry keys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"

Adds the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfkbyse: "C:\Program Files\Common Files\System\cfhskjn.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwjkpww: "C:\Program Files\Common Files\Microsoft Shared\vnwpbns.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%SOFTWARE%\Debugger: "C:\Program Files\Common Files\Microsoft Shared\vnwpbns.exe"

%SOFTWARE% refers to the following list of strings:

• 360rpt.exe
• 360Safe.exe
• 360tray.exe
• adam.exe
• AgentSvr.exe
• AppSvc32.exe
• ArSwp.exe
• AST.exe
• autoruns.exe
• avconsol.exe
• avgrssvc.exe
• AvMonitor.exe
• avp.com
• avp.exe
• CCenter.exe
• ccSvcHst.exe
• EGHOST.exe
• FileDsty.exe
• FTCleanerShell.exe
• FYFireWall.exe
• HijackThis.exe
• IceSword.exe
• iparmo.exe
• Iparmor.exe
• isPwdSvc.exe
• kabaload.exe
• KaScrScn.SCR
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPF.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• KISLnchr.exe
• KMailMon.exe
• KMFilter.exe
• KPFW32.exe
• KPFW32X.exe
• KPfwSvc.exe
• KRegEx.exe
• KRepair.com
• KsLoader.exe
• KVCenter.kxp
• KvDetect.exe
• KvfwMcl.exe
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KvXP_1.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• loaddll.exe
• MagicSet.exe
• mcconsol.exe
• mmqczj.exe
• mmsk.exe
• Navapsvc.exe
• Navapw32.exe
• nod32.exe
• nod32krn.exe
• nod32kui.exe
• NPFMntor.exe
• PFW.exe
• PFWLiveUpdate.exe
• QHSET.exe
• QQDoctor.exe
• QQKav.exe
• Ras.exe
• Rav.exe
• RavMon.exe
• RavMonD.exe
• RavStub.exe
• RavTask.exe
• RegClean.exe
• rfwcfg.exe
• rfwmain.exe
• rfwsrv.exe
• RsAgent.exe
• Rsaupd.exe
• rstrui.exe
• runiep.exe
• safelive.exe
• scan32.exe
• shcfg32.exe
• SmartUp.exe
• SREng.EXE
• symlcsvc.exe
• SysSafe.exe
• TrojanDetector.exe
• Trojanwall.exe
• TrojDie.kxp
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• upiea.exe
• UpLive.exe
• USBCleaner.exe
• vsstat.exe
• webscanx.exe
• WoptiClean.exe

The worm also modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start

The following files were added: 

• %PROGRAMFILES%\Common Files\Microsoft Shared\vnwpbns.exe
• %PROGRAMFILES%\Common Files\System\cfhskjn.exe
• %PROGRAMFILES%\cfkbyse.inf
• %SHAREDDRIVE%\autorun.inf

(where %PROGRAMFILES% is the Windows Program Files folder e.g. C:\Program Files, %SHAREDDRIVE% is the drive letter for any shared or removeable drives)

Symptoms

• Presence of previously mentioned files.
• Presence of unexpected network connection to previously mentioned URLs.
• Presence of previously mention registry entries.

Method of Infection

This worm spreads by using autorun.inf on shared drives and removable devices.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update January 14, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.channelregister.co.uk/2008/01/11/malware_digital_devices/

--

W32/Autorun.worm.e modifies registry keys to prevent some Windows Services from starting and prevent Explorer from viewing hidden files.

Aliases

• Win32/Mocmex.AM (CA)

• WORM_AGENT.TBH (TrendMicro)

Characteristics

Characteristics -

-- Update January 14, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.channelregister.co.uk/2008/01/11/malware_digital_devices/

--

A recent variant of W32/Autorun.worm.e was found distributed through digital photo frames that were sold in the market during the 2007 holiday season. This variant was previously detected as Generic.dx in the 5201 DATs in all products.

W32/Autorun.worm.e modifies registry keys to prevent some Windows Services from starting and prevent Explorer from viewing hidden files.

It will kill processes with the following strings in the titlebar:

• :\ - WinRAR
• System
• Microsoft Shared
• Process
• Virus
• Trojan

It will connect to the following URLs to download more malware:

• http://qq.520sf.org/yj/[removed].txt
• http://www.5460w.cn/xzz/[remove].exe

Deletes the following registry keys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\: "DiskDrive"

Adds the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfkbyse: "C:\Program Files\Common Files\System\cfhskjn.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwjkpww: "C:\Program Files\Common Files\Microsoft Shared\vnwpbns.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%SOFTWARE%\Debugger: "C:\Program Files\Common Files\Microsoft Shared\vnwpbns.exe"

%SOFTWARE% refers to the following list of strings:

• 360rpt.exe
• 360Safe.exe
• 360tray.exe
• adam.exe
• AgentSvr.exe
• AppSvc32.exe
• ArSwp.exe
• AST.exe
• autoruns.exe
• avconsol.exe
• avgrssvc.exe
• AvMonitor.exe
• avp.com
• avp.exe
• CCenter.exe
• ccSvcHst.exe
• EGHOST.exe
• FileDsty.exe
• FTCleanerShell.exe
• FYFireWall.exe
• HijackThis.exe
• IceSword.exe
• iparmo.exe
• Iparmor.exe
• isPwdSvc.exe
• kabaload.exe
• KaScrScn.SCR
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPF.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• KISLnchr.exe
• KMailMon.exe
• KMFilter.exe
• KPFW32.exe
• KPFW32X.exe
• KPfwSvc.exe
• KRegEx.exe
• KRepair.com
• KsLoader.exe
• KVCenter.kxp
• KvDetect.exe
• KvfwMcl.exe
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KvXP_1.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• loaddll.exe
• MagicSet.exe
• mcconsol.exe
• mmqczj.exe
• mmsk.exe
• Navapsvc.exe
• Navapw32.exe
• nod32.exe
• nod32krn.exe
• nod32kui.exe
• NPFMntor.exe
• PFW.exe
• PFWLiveUpdate.exe
• QHSET.exe
• QQDoctor.exe
• QQKav.exe
• Ras.exe
• Rav.exe
• RavMon.exe
• RavMonD.exe
• RavStub.exe
• RavTask.exe
• RegClean.exe
• rfwcfg.exe
• rfwmain.exe
• rfwsrv.exe
• RsAgent.exe
• Rsaupd.exe
• rstrui.exe
• runiep.exe
• safelive.exe
• scan32.exe
• shcfg32.exe
• SmartUp.exe
• SREng.EXE
• symlcsvc.exe
• SysSafe.exe
• TrojanDetector.exe
• Trojanwall.exe
• TrojDie.kxp
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• upiea.exe
• UpLive.exe
• USBCleaner.exe
• vsstat.exe
• webscanx.exe
• WoptiClean.exe

The worm also modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start

The following files were added: 

• %PROGRAMFILES%\Common Files\Microsoft Shared\vnwpbns.exe
• %PROGRAMFILES%\Common Files\System\cfhskjn.exe
• %PROGRAMFILES%\cfkbyse.inf
• %SHAREDDRIVE%\autorun.inf

(where %PROGRAMFILES% is the Windows Program Files folder e.g. C:\Program Files, %SHAREDDRIVE% is the drive letter for any shared or removeable drives)

Symptoms

Symptoms -

• Presence of previously mentioned files.
• Presence of unexpected network connection to previously mentioned URLs.
• Presence of previously mention registry entries.

Method of Infection

Method of Infection -

This worm spreads by using autorun.inf on shared drives and removable devices.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A