McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 25, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

This detection is for a Tool-Kit which is capable of converting any executable into a worm with auto spread capability.

The characteristics of this hack tool, with regards to the file names, features offered etc will differ from one version to another and hence, is a general description.

Aliases

• Constructor.VB.ec [Quick Heal]

• Constructor.Win32.VB.ec [Kaspersky]

• Constructor.Win32.VB.ec [VBA32]

• Constructor/Wormer [Panda]

Characteristics

-- Update June 25, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

This Tool-Kit is used by an attacker to convert any executable into an autorun worm, which can spread through removable devices, by implementing an “AutoRun.inf” configuration file.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Given below is an example of the contents of an Autorun.inf configuration file:

Given below is a screenshot of the toolkit in discussion:

From the screenshot above, it is evident that apart from converting an executable into one with autorun capability, this tool-kit also has the following features:

• Pack the worm with UPX packer to reduce the file size
• Change the icon of the worm created, to make it look legitimate
• Choose from a range of startup methods (Registry run, Run as service etc)
• Display a custom message when the worm is executed
• Disable windows task manager, registry editor, folder options etc.

Note:

Files created using this tool-kit are detected as W32/Autorun.worm.df

Symptoms

Other than the presence of the above mentioned file, there are no visible symptoms for the existence of this worm editor component on a machine.

Method of Infection

This is not applicable for Hack Tools.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 25, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

This detection is for a Tool-Kit which is capable of converting any executable into a worm with auto spread capability.

The characteristics of this hack tool, with regards to the file names, features offered etc will differ from one version to another and hence, is a general description.

Aliases

• Constructor.VB.ec [Quick Heal]

• Constructor.Win32.VB.ec [Kaspersky]

• Constructor.Win32.VB.ec [VBA32]

• Constructor/Wormer [Panda]

Characteristics

Characteristics -

-- Update June 25, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/06/18/trojan_worm_toolkit/

This Tool-Kit is used by an attacker to convert any executable into an autorun worm, which can spread through removable devices, by implementing an “AutoRun.inf” configuration file.

"Autorun.inf" is a text based configuration file which instructs the Windows operating system to perform some action upon opening a network shared drive, local folder, floppy drive, CD-ROM drive or the insertion of a removable disk drive.

This configuration file is usually intended as a convenience feature, however is often misused by malware authors to create malware that spread automatically without any user interaction.

Given below is an example of the contents of an Autorun.inf configuration file:

Given below is a screenshot of the toolkit in discussion:

From the screenshot above, it is evident that apart from converting an executable into one with autorun capability, this tool-kit also has the following features:

• Pack the worm with UPX packer to reduce the file size
• Change the icon of the worm created, to make it look legitimate
• Choose from a range of startup methods (Registry run, Run as service etc)
• Display a custom message when the worm is executed
• Disable windows task manager, registry editor, folder options etc.

Note:

Files created using this tool-kit are detected as W32/Autorun.worm.df

Symptoms

Symptoms -

Other than the presence of the above mentioned file, there are no visible symptoms for the existence of this worm editor component on a machine.

Method of Infection

Method of Infection -

This is not applicable for Hack Tools.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A