Win32.Worm.Autorun.JP

( Worm.Win32.Autorun.dlw, W32/Autorun.worm.bm, WORM_AUTORUN.UP )

SYMPTOMS:

Presence of the specified files and registry entries.
Presence of the following processes:

• %system%\system.exe
• %windows%\userinit.exe

TECHNICAL DESCRIPTION:

When executed, the worm drops several copies of itself in:

• %system%\system.exe
• %windows%\userinit.exe
• [every removable drive]: Secret.exe

Also, it drops:

• %system%\MSWINSCK.OCX, a clean file used by the virus
• %system%\kdcoms.dll, a file in which the virus stores user's active windows titles and the following keys strokes:

Backspace, Tab, Shift, Ctrl, Alt, Pause, Esc, End, Home, Left, Right, Up, Down, Insert, Delete, F1-F12, NumLock, ScrollLock, PrintScreen, PageUp, PageDown

• [every removable drive]: autorun.inf, in order that the worm is executed every time the drive is accesed

autorun.inf has the following content:

[AutoRun]
open=Secret.exe
;shell\open=Open(&O)
shell\open\Command=Secret.exe
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=Secret.exe

The virus modifies the registry value in order to be executed on every system startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:
Userinit = %windows%\userinit.exe" (instead of the original file located in %System%\userinit.exe")

The worm also downloads a file from:
http://files.myopera.com/[hide]online/files/task.rar, which also contains a copy of itself.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dan Anton, virus researcher