Worm.Autorun.WHG( Trojan.Autorun.AET )
SYMPTOMS: No obvious symptoms.TECHNICAL DESCRIPTION: Autorun (or autoplay) is a feature of Microsoft Windows Operating systems that dictates what action will be takenwhen a new drive is mounted or accesed. The structure of an autorun file usually includes information like the program that will be executed when the drive is mounted, accesed, etc. Autorun.inf will always be located inside the root directory of the medium, and whether the operating system will interpret it or not depends on some special registry keys: HKEY_LOCAL_MACHINE\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun HKEY_LOCAL_MACHINE\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun More information about how autorun works can be found here. This particular malware comes very obfuscated, containing large amounts of garbage, in order to make detection difficult. Its true purpose is however revealed by the following line: shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn This means that whenever the drive is accesed, rundll32.exe (a system program) will load RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (a dll) and call exported function ahaezedrn. This dll file is actually Win32.Worm.Downadup. Further information about Downadup (alias Kido or Conficker) can be found here. Removal instructions: Autorun.inf files are not malicious by themself and are usually created by other malware; therefore, simply deleting it won't clean the actual infection. Please let BitDefender disinfect your files.ANALYZED BY: Lutas Andrei Vlad, virus researcher |
