Win32.Worm.AutoIt.AC

( Worm:Win32/Autorun.FH; Trojan.Win32.Autoit.ci )

Spreading:	medium
Damage:	medium
Size:	~600 kbytes
Discovered:	2008 Mar 31

SYMPTOMS:

The following files will be present on an infected computer:

%System%\28463\svchost.exe
%System%\28463\svchost.001
%System%\28463\svchost.002
%System%\regsvr.exe
%Windows%\regsvr.exe (hidden)
%System%\svchost .exe (hidden)
%System%setup.ini (hidden)

TECHNICAL DESCRIPTION:

This worm is an AutoIt compiled script that has a folder icon in order to trigger the user to run it. If run, it will perform the following actions:

    - drop a file named svchost.exe in %System%\28463\ folder - this file is detected as Trojan.Keylog.Ardamax.NAL and will be used to log user's activity and send it to the malware author. The keystrokes will be logged in two files named svchost.001 and svchost.002 created in %System%\28463 folder

    - create the follwing three copies of itself:
%Windows%\regsvr.exe
%System%\svchost .exe (hidden)
%System%\regsvr.exe (hidden)

and add/modify the following registry keys in order for the worm and the keylogger to be run at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Name: svchost Agent
Value: %System32%\28463\svchost.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name: Msn Messenger
Value: %System%\regsvr.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Name: Shell
Value: Explorer.exe regsvr.exe

- delete all schduled tasks using the following command line:
    cmd.exe /C AT /delete /yes
and then create its own sheduled task using the following command:
    cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su %windows%\svchost .exe
which will be used to run one of the copies of the malware.

- create a file named setup.ini in %System% folder in order to spread itself on removable drives

It will also modify the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = 0x00000001 - disable registry tools

    - try to download the following files on user's computer
http://www.yahoo.com/setting.doc
http://www.yahoo.com/setting.xls
http://yahoo.com/setting.doc
http://yahoo.com/setting.xls
(when this description was made the URLs weren't active anymore)

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dana Stanut, virus researcher

Intelligence Report Archives

Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner