Win32.Worm.Autoruner.CC

( Virus.Win32.AutoRun.gq, Win32.HLLW.Autoruner.358, W32.Dotex, TR/Autorun.BA, Win32:Autorun-BJ )

SYMPTOMS:

• The presence of an executable with random looking name in the following directories:
  • Program Files\
  • Program Files\Common Files\System
  • Program Files\Common Files\Microsoft Shared
• Security / monitoring software is terminated unexpectedly
• The Windows Update service is stopped
• Explorer is set not to show hidden files, even though it was set to show them previously
  

TECHNICAL DESCRIPTION:

This is a mixed thread combining two malicious behaviors:

• it tries to spread by copying itself to every disk and creating an "autorun.inf" file pointing to the copy on the disk. This is especially effective in the case of removable USB drives ("thumb drives")
• It downloads a second malware from a preset URL (which is inactive currently) and executes. It also tries to "prepare" the environment by terminating security / monitoring programs and processes and deleting the registry keys associated with them.

Programs which are terminated by the malware:

Ras.exe
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
QQLiveUpdate.exe
QQUpdateCenter.exe
Timwp.exe
QQSC.exe

Windows which contain the following strings in their titlebar are closed:

:\ - WinRAR
System
Microsoft Shared
Process
Sysinternals
Virus
Trojan

It sets itself up as a debugger by writing to the following registry key:

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

It tries to delete the following registry keys to prevent components of security programs and the Windows Update from starting up:

SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\wscsvc
SYSTEM\CurrentControlSet\Services\wuauserv
SYSTEM\CurrentControlSet\Services\RSPPSYS
SYSTEM\ControlSet001\Services\wscsvc
SYSTEM\ControlSet001\Services\wuauserv

It modifies the settings related to hidden files and autorun so that hidden files are not shown in the Windows Explorer (even if the user modified the setting) and AutoRun is enabled (even if the user disabled it).

Removal instructions:

Please let BitDefender delete the infected files. Modified registry settings (like showing hidden files or disabling autorun) must be modified manually to their intended value.

ANALYZED BY:

Attila Balazs, virus researcher