My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autorun.QR

LOW
LOW
144355 B (NSIS installer)

Symptoms

- presence of the file autorun.inf inside root directory of every drive

- msiexec.exe runs in background

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This worm may come inside a NSIS (Nullsoft Installer) file. When this file gets executed, it will first check the existence of the following registry key:

HKEY_LOCAL_MACHINE\Software\QucikWatch, and then it will drop and execute a file named QuickWatch.exe inside temp folder. This file will first create an autorun.inf file in the root of every accessible drive. The autorun.inf file contains several lines of randomly generated garbage ASCII characters, in order to make detection more difficult. Two text lines betray, however, its purpose:

Shellexecute="RECYLCER\Random-name.com drive-letter:\"

shell\Open\command="RECYCLER\Random-name.com drive-letter:\"

The random name will be of the form: S-3-0-68-100021457-100021691-100001035-4746.com, where each number seems to be randomly generated. Any time the infected drive is accesed, the worm gets executed as well, and it will attempt to replicate to other drives, including USB or network drives. It will also launch into execution msiexec.exe, make a copy of x:\windows\system32\msi.dll in %temp% folder, patch it by replacing a short sequence of instructions, and, if ran manually, it will delete its own file.