McAfee > Theat Center > Virus Detail Page

Overview

-- Update March 18, 2010 --

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/

This detection is for a worm which purports to provide details of the upcoming Harry Potter book, but makes significant system changes that render it largely unusable.  It also tries to copy itself to removable drives such that if they are set to Autorun, it will infect systems it's used on.

Characteristics

-------- Updated on Nov 18, 2011 -----

Aliases -

• Avg  - Dropper.Generic.BDHY
• NOD32 - a variant of Win32/Injector.ADW
• Symantec - W32.SillyDC
• Microsoft - VirTool:Win32/VBInject.gen!BW

When executed, the Trojan copies itself into the following location.

• %Appdata%\firewall update.exe
• :[Removable Drive]:\setup253.exe

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

• [Autorun]
• open=setup253.exe
• shell\open\Command=setup253.exe

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Firewall = "%Appdata%\firewall update.exe"
• HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  UpdateWindows = "%Appdata%\firewall update.exe"

[Note: %Appdata% - C:\Documents and Settings\[UserName]\Application Data,SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------- Updated on May 03, 2010 -----

File Information

• MD5  -  351D312E70C19371B9116CA67737DCB1
• SHA  - D90115C869E2AF893756EE150EAE78A617E519FE

Aliases

• Avg          - Generic3_c.CHKY
• NOD32     - Win32/Packed.Autoit.E.Gen
• Symantec - Bloodhound.Malautoit
• Microsoft - VirTool:Win32/VBInject.DW

When executed, the Trojan copies itself into the following location:

• %Windir%\spynet\server.exe
• :[Removable Drive]:\RECYCLER\S-1-(Varies)\server.exe

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\5YI432UN-26HC-0185-000P-O5VX252O3DYU}
• HKEY_CURRENT_USER\S-1-(Varies)\Software\vítima

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\5YI432UN-26HC-0185-000P-O5VX252O3DYU}\]
  “StubPath” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “HKLM” = "%Windir%\spynet\server.exe"
• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “HKCU” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  Policies” = "%Windir%\spynet\server.exe"
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
  “Policies” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

-------- Updated on Nov 18, 2010 -----

File Information -

• MD5 - 6651d628b1c0315b03ab8896395d1335
• SHA1 - 9500707592fd6b49c83864dda7b8d7ac51ccbb0d

Aliases -

• Kaspersky - Worm.Win32.AutoRun.avxk
• Microsoft - Trojan:Win32/Otran
• NOD32     - probably a variant of Win32/AutoRun.Delf.AC
• Norman   - W32/Atraps.UXJ

Upon execution the Worm copies itself into the following location:

• %Systemdrive%\NoAutorun.exe

And drops the following files:

• %Systemdrive%\autorun.inf
• %Systemdrive%\NoAutorun.ver

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• [Autorun]
• Open=NoAutorun.exe
• Shellexecute=NoAutorun.exe
• Shell\Open\command=NoAutorun.exe
• Shell=Open

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

The following registry values have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  "zzzNoAutoRun" = "%Systemdrive%\NoAutorun.exe"

The above mentioned registry key confirms that the Trojan executes every time when windows starts.

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
   “NoFolderOptions” = “ 0x00000001”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
   “NoRun” = “ 0x00000001”

Worm disables Folder Option and command run by adding the above mentioned values to the registry key.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
  Data: NoDriveAutoRun = 0x00000000
  Data: NoDriveTypeAutoRun = 0x00000000

The following registry values have been modified.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  Hidden = 0x00000002

----------------------------------------------------------------------------------------------------------------------------------- Updated on Nov 04, 2010 -----

File Information -

• MD5 - 9db833fc8dfbc9193cb6062a74111834
• SHA1 - 6f77b0137f6749cc0b53d8cce88c1bbe66826122

• DrWeb - DLOADER.IRC.Trojan
• Kaspersky - Trojan.Win32.Scar.clvh
• Microsoft - Worm:Win32/Silly_P2P.H
• TrendMicro - TROJ_GEN.USEHJ21

"W32/Autorun.worm.g" is a worm detection that attempts to copy itself to the root of any accessible disk volumes.

Additionally it attempts to place an Autorun.inf file on the root of the volume, so that it is executed the next time the volume is mounted.

Upon execution, the worm copies itself into the below mention location and it connects to the site "eagle[removed].com" to download malicious files.

• %AppData%svchosts.exe

The following registry keys have been added to the system

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry values have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
  Microsoft Corp = “%AppData%\svchosts.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  Microsoft Corp = "%AppData%\svchosts.exe"
• HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
  Microsoft Corp = "%AppData%\svchosts.exe"

The above registry entries confirm that, the worm executes every time when windows starts.

The worm makes a connection to the remote machine through the following random port numbers.

4723
1065
1066
1067
1068

It attempts to spread to the removable drives by creating an autorun.inf file, which runs the worm automatically, when the system's removable drive are set to Autorun.

[aUtoRUN]
shelLexEcute=SYSTEM.EXE
iCoN=%wiNdiR%\sySTeM32\sHELl32.dLl,4
ShEll\OpEn\ComMaNd=SYSTEM.EXE
shell\explore\command=SYSTEM.EXE
uSeAuTopLAy=1
ShElL%seXpLorE%sCoMmAnD=SYSTEM.EXE

It will attempt communicate with a remote IRC server using the following information:

NICK
JOIN
PART
QUIT
PASS
PING
PONG
USER

[Note : %AppData% - C:\Documents and Settings\[UserName]\Application Data]

----------

-- Update July 22, 2010 --

File Information

• MD5  -  E3272BBC39A7C6188D4587A0581E460E
• SHA  - 956A9E52797E54847FE2AEC10A0D15B384876275

Aliases

• Kaspersky    - Worm.BAT.Autorun.es
• NOD32        - BAT/Autorun.AQ
• Norman       - W32/Obfuscated.H2!genr
• TrendMicro  - WORM_SILLY.QLW
  

File Information –

• MD5 - 3464715ED021A7DA6D071D6C611A2385
• SHA1 - AC33021EBBB2142FDABFBEBB907EAFC065BC63DD

Aliases –

• BitDefender - Trojan.Downloader.Agent.ABDP
• Kaspersky - Worm.Win32.AutoRun.gvy
• NOD32 - a variant of Win32/AutoRun.Agent.UI
• TrendMicro - WORM_AUTORUN.SMV

"W32/Autorun.worm.g" attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.

It uses the windows "Folder Icon" as its icon. This is to trick users into opening it, effectively executing the worm.

Upon execution the Worm copies itself into the following locations

• %AppData%\wmimgmt.exe
• [Removable Drive]:\ RECYCLER\wmimgmt.exe(Hidden)
• %Temp%\temp.vih [Data file]

• [Removable Drive]:\RECYCLER\desktop.ini (Hidden)
• [Removable Drive]:\ AuToRUn.iNf

The following folder has been added

• [Removable Drive]:\ RECYCLER

The above mentioned " RECYCLER" folder is a hidden folder created by the worm.

The following registry value hasbeen added

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt: ""

The above mentioned registry entry hides the file extension.

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  wmi32 = %AppData%\wmimgmt.exe

The above mentioned registry entry confirms that "wmimgmt.exe" runs every time when windows starts.

The following registry value has been modified

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\]
  UncheckedValue="0x00000000"

The above mentioned registry entry is modified to keep hidden files and folders not viewable.

The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use this Trojan to perform various tasks.

• Gather system information (OS Version, User name, Computer name, IP Address)
• Run IRC commands (Join channels)

The Worm uses the following MS-DOS commands to gather system information.

• SYSTEMINFO.EXE
• FINDSTR.EXE
• ARP.EXE
• CONVERT.EXE
• FINDSTR.EXE
• IPCONFIG.EXE
• ROUTE.EXE

[Where %AppData% - C:\Documents and Settings\[UserName]\Application Data,
%RemovableDrive% = Removable drive inserted into the system
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

 -------

-- Update March 18, 2010 --

When executed, the Worm copies itself into the following location:

• %SystemDrive%\Documents and Settings.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\Program Files.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\System Volume Information.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\Tools.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\WINDOWS.exe [Detected as W32/Autorun.worm.g]
• %WinDir%\system32\ScreenSave.scr [Detected as W32/Autorun.worm.g]
• %WinDir%\system32\Drivers\USBInfo.com [Detected as W32/Autorun.worm.g]

And drops the following file:

• %SystemDrive%\autorun.inf

The following registry keys have been added to the system.

• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\System
• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows Script Host

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
  “NoFolderOptions” = “ 0x00000001”
•  [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
  “DisableTaskmgr” = “ 0x00000001”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
  “NoRun” = “ 0x00000001”

Worm disables Folder Option, Task Manager and command run by adding the above mentioned values to the registry key.

•  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]:
  “@” = "%WinDir%\system32\Drivers\USBInfo.com"

Above mentioned registry ensures that, the Worm registers itself with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Control Panel\Desktop\]
  “SCRNSAVE.EXE” = "%WinDir%\system32\ScreenSave.scr"

The above mentioned registry entry confirms that the Worm executes itself whenever the screen saver is activated.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  “CheckedValue” = “0x00000000”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  “Hidden” = “0x00000000”

The above mentioned registry entries confirms that the Worm prevents the compromised user to view the hidden files and folders in the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  "HideFileExt" = " 0x00000001"

The above mentioned registry entry confirms that the Worm hides the extension of files present in the system.

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------------------------------------------------------------

-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/

This detection is for a worm which attempts to spread to removable drives by creating an Autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.

When the worm is executed, the following error message is shown:

If there is no removable drive present on the machine, the following error message will be shown repeatedly:

Once the final error message is exited, the system will reboot itself automatically.  When the system is restarted, a batch file is run to show the following text:

The worm creates the following files:

• c:\autorun.inf (171 bytes)
• c:\harry potter.txt (379 bytes)
• c:\HarryPotter-TheDeathlyHallows.doc (23 bytes)
• c:\WINDOWS\Tasks\At1.job (386 bytes)
• c:\WINDOWS\Tempt\talk.bat (200 bytes)

It also creates the following registry entries, to disable Windows Firewall:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

It modifies the following registry entries to disable access to various system features:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoShellSearchButton" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayContextMenu" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayItemsDisplay" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoViewContextMenu" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = 1

These changes make a number of things inaccessible on an infected system (e.g. diagnostic tools such as Regedit and TaskManager cannot be used, the clock and Systray are both hidden). It will also make it so files cannot be run from Explorer, though they may still be run from the Start menu.

The Internet Explorer startpage is modified to point to an Amazon.com page for a book which is a parody of Harry Potter series. 

The ProductID an Registered Owner are changed as follows:

• ProductID = HARRY-POT-TERHATE-SYOU1
• RegisteredOwner = Harry Potter

It also creates the following user profiles:

• Harry-Potter
• Hermione-Granger
• Ron-Weasely 

Symptoms

• Presence of above mentioned files and registry keys
• Presence of above mentioned activities.
• The errror messages indicated previously
• The infected system becomes drastically changed, with references to Harry Potter
• User profiles, as mentioned previously, appearing unexpectedly

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

N/A

All Information

Overview -

-- Update March 18, 2010 --

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/

This detection is for a worm which purports to provide details of the upcoming Harry Potter book, but makes significant system changes that render it largely unusable.  It also tries to copy itself to removable drives such that if they are set to Autorun, it will infect systems it's used on.

Characteristics

Characteristics -

-------- Updated on Nov 18, 2011 -----

Aliases -

• Avg  - Dropper.Generic.BDHY
• NOD32 - a variant of Win32/Injector.ADW
• Symantec - W32.SillyDC
• Microsoft - VirTool:Win32/VBInject.gen!BW

When executed, the Trojan copies itself into the following location.

• %Appdata%\firewall update.exe
• :[Removable Drive]:\setup253.exe

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

• [Autorun]
• open=setup253.exe
• shell\open\Command=setup253.exe

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  Firewall = "%Appdata%\firewall update.exe"
• HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
  UpdateWindows = "%Appdata%\firewall update.exe"

[Note: %Appdata% - C:\Documents and Settings\[UserName]\Application Data,SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

-------- Updated on May 03, 2010 -----

File Information

• MD5  -  351D312E70C19371B9116CA67737DCB1
• SHA  - D90115C869E2AF893756EE150EAE78A617E519FE

Aliases

• Avg          - Generic3_c.CHKY
• NOD32     - Win32/Packed.Autoit.E.Gen
• Symantec - Bloodhound.Malautoit
• Microsoft - VirTool:Win32/VBInject.DW

When executed, the Trojan copies itself into the following location:

• %Windir%\spynet\server.exe
• :[Removable Drive]:\RECYCLER\S-1-(Varies)\server.exe

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registry key has been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\5YI432UN-26HC-0185-000P-O5VX252O3DYU}
• HKEY_CURRENT_USER\S-1-(Varies)\Software\vítima

The following registry value has been added.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\5YI432UN-26HC-0185-000P-O5VX252O3DYU}\]
  “StubPath” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers with the compromised system and execute itself upon every boot.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  “HKLM” = "%Windir%\spynet\server.exe"
• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
  “HKCU” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\]
  Policies” = "%Windir%\spynet\server.exe"
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
  “Policies” = "%Windir%\spynet\server.exe"

The above mentioned registry ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

-------- Updated on Nov 18, 2010 -----

File Information -

• MD5 - 6651d628b1c0315b03ab8896395d1335
• SHA1 - 9500707592fd6b49c83864dda7b8d7ac51ccbb0d

Aliases -

• Kaspersky - Worm.Win32.AutoRun.avxk
• Microsoft - Trojan:Win32/Otran
• NOD32     - probably a variant of Win32/AutoRun.Delf.AC
• Norman   - W32/Atraps.UXJ

Upon execution the Worm copies itself into the following location:

• %Systemdrive%\NoAutorun.exe

And drops the following files:

• %Systemdrive%\autorun.inf
• %Systemdrive%\NoAutorun.ver

And drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

• [Autorun]
• Open=NoAutorun.exe
• Shellexecute=NoAutorun.exe
• Shell\Open\command=NoAutorun.exe
• Shell=Open

The following registry keys have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveAutoRun
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf

The following registry values have been added to the system.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
  "zzzNoAutoRun" = "%Systemdrive%\NoAutorun.exe"

The above mentioned registry key confirms that the Trojan executes every time when windows starts.

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
   “NoFolderOptions” = “ 0x00000001”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
   “NoRun” = “ 0x00000001”

Worm disables Folder Option and command run by adding the above mentioned values to the registry key.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
  Data: NoDriveAutoRun = 0x00000000
  Data: NoDriveTypeAutoRun = 0x00000000

The following registry values have been modified.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  Hidden = 0x00000002

----------------------------------------------------------------------------------------------------------------------------------- Updated on Nov 04, 2010 -----

File Information -

• MD5 - 9db833fc8dfbc9193cb6062a74111834
• SHA1 - 6f77b0137f6749cc0b53d8cce88c1bbe66826122

• DrWeb - DLOADER.IRC.Trojan
• Kaspersky - Trojan.Win32.Scar.clvh
• Microsoft - Worm:Win32/Silly_P2P.H
• TrendMicro - TROJ_GEN.USEHJ21

"W32/Autorun.worm.g" is a worm detection that attempts to copy itself to the root of any accessible disk volumes.

Additionally it attempts to place an Autorun.inf file on the root of the volume, so that it is executed the next time the volume is mounted.

Upon execution, the worm copies itself into the below mention location and it connects to the site "eagle[removed].com" to download malicious files.

• %AppData%svchosts.exe

The following registry keys have been added to the system

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The following registry values have been added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\
  Microsoft Corp = “%AppData%\svchosts.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  Microsoft Corp = "%AppData%\svchosts.exe"
• HKEY_USERS\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\
  Microsoft Corp = "%AppData%\svchosts.exe"

The above registry entries confirm that, the worm executes every time when windows starts.

The worm makes a connection to the remote machine through the following random port numbers.

4723
1065
1066
1067
1068

It attempts to spread to the removable drives by creating an autorun.inf file, which runs the worm automatically, when the system's removable drive are set to Autorun.

[aUtoRUN]
shelLexEcute=SYSTEM.EXE
iCoN=%wiNdiR%\sySTeM32\sHELl32.dLl,4
ShEll\OpEn\ComMaNd=SYSTEM.EXE
shell\explore\command=SYSTEM.EXE
uSeAuTopLAy=1
ShElL%seXpLorE%sCoMmAnD=SYSTEM.EXE

It will attempt communicate with a remote IRC server using the following information:

NICK
JOIN
PART
QUIT
PASS
PING
PONG
USER

[Note : %AppData% - C:\Documents and Settings\[UserName]\Application Data]

----------

-- Update July 22, 2010 --

File Information

• MD5  -  E3272BBC39A7C6188D4587A0581E460E
• SHA  - 956A9E52797E54847FE2AEC10A0D15B384876275

Aliases

• Kaspersky    - Worm.BAT.Autorun.es
• NOD32        - BAT/Autorun.AQ
• Norman       - W32/Obfuscated.H2!genr
• TrendMicro  - WORM_SILLY.QLW
  

File Information –

• MD5 - 3464715ED021A7DA6D071D6C611A2385
• SHA1 - AC33021EBBB2142FDABFBEBB907EAFC065BC63DD

Aliases –

• BitDefender - Trojan.Downloader.Agent.ABDP
• Kaspersky - Worm.Win32.AutoRun.gvy
• NOD32 - a variant of Win32/AutoRun.Agent.UI
• TrendMicro - WORM_AUTORUN.SMV

"W32/Autorun.worm.g" attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.

It uses the windows "Folder Icon" as its icon. This is to trick users into opening it, effectively executing the worm.

Upon execution the Worm copies itself into the following locations

• %AppData%\wmimgmt.exe
• [Removable Drive]:\ RECYCLER\wmimgmt.exe(Hidden)
• %Temp%\temp.vih [Data file]

• [Removable Drive]:\RECYCLER\desktop.ini (Hidden)
• [Removable Drive]:\ AuToRUn.iNf

The following folder has been added

• [Removable Drive]:\ RECYCLER

The above mentioned " RECYCLER" folder is a hidden folder created by the worm.

The following registry value hasbeen added

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt: ""

The above mentioned registry entry hides the file extension.

• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  wmi32 = %AppData%\wmimgmt.exe

The above mentioned registry entry confirms that "wmimgmt.exe" runs every time when windows starts.

The following registry value has been modified

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\]
  UncheckedValue="0x00000000"

The above mentioned registry entry is modified to keep hidden files and folders not viewable.

The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use this Trojan to perform various tasks.

• Gather system information (OS Version, User name, Computer name, IP Address)
• Run IRC commands (Join channels)

The Worm uses the following MS-DOS commands to gather system information.

• SYSTEMINFO.EXE
• FINDSTR.EXE
• ARP.EXE
• CONVERT.EXE
• FINDSTR.EXE
• IPCONFIG.EXE
• ROUTE.EXE

[Where %AppData% - C:\Documents and Settings\[UserName]\Application Data,
%RemovableDrive% = Removable drive inserted into the system
%Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp]

 -------

-- Update March 18, 2010 --

When executed, the Worm copies itself into the following location:

• %SystemDrive%\Documents and Settings.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\Program Files.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\System Volume Information.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\Tools.exe [Detected as W32/Autorun.worm.g]
• %SystemDrive%\WINDOWS.exe [Detected as W32/Autorun.worm.g]
• %WinDir%\system32\ScreenSave.scr [Detected as W32/Autorun.worm.g]
• %WinDir%\system32\Drivers\USBInfo.com [Detected as W32/Autorun.worm.g]

And drops the following file:

• %SystemDrive%\autorun.inf

The following registry keys have been added to the system.

• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\System
• HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows Script Host

The following registry values have been added to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
  “NoFolderOptions” = “ 0x00000001”
•  [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
  “DisableTaskmgr” = “ 0x00000001”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
  “NoRun” = “ 0x00000001”

Worm disables Folder Option, Task Manager and command run by adding the above mentioned values to the registry key.

•  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]:
  “@” = "%WinDir%\system32\Drivers\USBInfo.com"

Above mentioned registry ensures that, the Worm registers itself with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Control Panel\Desktop\]
  “SCRNSAVE.EXE” = "%WinDir%\system32\ScreenSave.scr"

The above mentioned registry entry confirms that the Worm executes itself whenever the screen saver is activated.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\]
  “CheckedValue” = “0x00000000”
• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  “Hidden” = “0x00000000”

The above mentioned registry entries confirms that the Worm prevents the compromised user to view the hidden files and folders in the system.

• [HKEY_CURRENT_USER\S-1-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
  "HideFileExt" = " 0x00000001"

The above mentioned registry entry confirms that the Worm hides the extension of files present in the system.

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) and %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\]

---------------------------------------------------------------------------------------------------------

-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/

This detection is for a worm which attempts to spread to removable drives by creating an Autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.

When the worm is executed, the following error message is shown:

If there is no removable drive present on the machine, the following error message will be shown repeatedly:

Once the final error message is exited, the system will reboot itself automatically.  When the system is restarted, a batch file is run to show the following text:

The worm creates the following files:

• c:\autorun.inf (171 bytes)
• c:\harry potter.txt (379 bytes)
• c:\HarryPotter-TheDeathlyHallows.doc (23 bytes)
• c:\WINDOWS\Tasks\At1.job (386 bytes)
• c:\WINDOWS\Tempt\talk.bat (200 bytes)

It also creates the following registry entries, to disable Windows Firewall:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

It modifies the following registry entries to disable access to various system features:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoShellSearchButton" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayContextMenu" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayItemsDisplay" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoViewContextMenu" = 1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = 1

These changes make a number of things inaccessible on an infected system (e.g. diagnostic tools such as Regedit and TaskManager cannot be used, the clock and Systray are both hidden). It will also make it so files cannot be run from Explorer, though they may still be run from the Start menu.

The Internet Explorer startpage is modified to point to an Amazon.com page for a book which is a parody of Harry Potter series. 

The ProductID an Registered Owner are changed as follows:

• ProductID = HARRY-POT-TERHATE-SYOU1
• RegisteredOwner = Harry Potter

It also creates the following user profiles:

• Harry-Potter
• Hermione-Granger
• Ron-Weasely 

Symptoms

Symptoms -

• Presence of above mentioned files and registry keys
• Presence of above mentioned activities.
• The errror messages indicated previously
• The infected system becomes drastically changed, with references to Harry Potter
• User profiles, as mentioned previously, appearing unexpectedly

Method of Infection

Method of Infection -

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

N/A