My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autoit.P

LOW
LOW
215,456 bytes
(Trojan-Downloader.Win32.Agent.akh)

Symptoms

   Following are some of the signs that you have been infected:
 - disabled Task Manager
 - disabled Registry Editor
 - presence of the following files:
      * %windir%\bad1.exe
      * %windir%\bad2.exe
      * %windir%\bad3.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel RADU, virus researcher

Technical Description:

       Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".

      Once executed:
- checks if "system.exe" process exists and if it does it executes "explorer.exe" from system directory
- if any of below processes are running:
    * msconfig.exe
    * rstrui.exe
    * regedit.exe
    * taskmgr.exe

it exits.

- tries to kill the following processes if they are running:
    * winsystem.exe
    * handydriver.exe
    * kerneldrive.exe
    * wscript.exe
    * cmd.exe
    * nod32krn.exe
    * nod32kui.exe


- malware copies itself as:
    * %windir%\msmsgs.exe
    * %windir%\wininit.exe

and modifies a registry key so that it is run at every system startup

- modifies settings of explorer so that file extensions are hidden
- modifies settings of explorer so that hidden files are not shown
- modifies settings to disable Task Manager
- modifies settings of disable Regedit

- copies itself into all non-removable drives as "system.exe" and adds an autorun.inf file so that it is executed automatically each

time the drive is activated or browsed
- deletes following registry keys:
    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn\ImagePath
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv\ImagePath
    * HKEY_CLASSES_ROOT\lnkfile\isShortcut


- deletes following files:
    * %program files dir%\ESET\nod32.exe
    * %program files dir%\ESET\nod32kui.exe
    * %program files dir%\ESET\nod32krn.exe

- downloads files from internet:
    * http://ppt.th.gs/[removed]/bad1.exe
    * http://ppt.th.gs/[removed]/bad2.exe
    * http://ppt.th.gs/[removed]/bad3.exe

into Windows directory and adds them to Windows startup