My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autoit.AL

LOW
MEDIUM
212 Kb

Symptoms

The presence of

%programfiles%\FlashGuard\FlashGuard.exe
%windrive%\FlashGuard\ReadMe.txt
%windrive%\FlashGuard\FlashGuard.exe

The presence of autorun.inf on removable drives that contains

[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lita Catalin, virus researcher

Technical Description:


This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.


The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe

It also includes a readme file that reads:
"This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. "


It creates the following registry keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
    with the value "%windrive%\FlashGuard\FlashGuard.exe" -run

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
    with the value "%windrive%\FlashGuard\FlashGuard.exe" -run


Copies the readme file to %windrive%\FlashGuard\ReadMe.txt

It checks if any of the following processes are running,
    iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
    expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
    lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
    spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
    svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
    winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
    \Program Files\Internet Explorer\iexplore.exe,
    \system32\svchost.exe,
    \system32\lsass.exe,
    \system32\csrss.exe,
    \system32\alg.exe,
    \system32\winlogon.exe,
    \system32\smss.exe,
    \system32\spoolsv.exe,
    \system32\taskmgr.exe
the process would terminated and the file would get renamed with a ".bak" extension


this worm will remove all files from C:\heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute

payload:

    will download from http://[removed]/lndexnew.jpg
    and http://[removed]/lndexnew.txt
    executable files that will be copied to temporary directory with a random name
    and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
    with value  "%temp_path%\[random].exe" will be created
All downloaded files are backdoors