Win32.Worm.Autorun.TF

SYMPTOMS:

Presence of the following files (all hidden):
- NTDETECT.EXE inside root directory of every accesible drive
- autorun.inf, pointing to the file described above
- %system%\System.exe
- boot.ini.ini, inside root directory of system drive (usually C:)
Presence of the following registry key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System, pointing to %system%\System.exe
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunBkp

TECHNICAL DESCRIPTION:

When first executed, the worm will perform the following modifications on the system:
- add the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System (that will point to %system%\system.exe) and
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunBkp
- create the file C:\boot.ini.ini (hidden), where it will write some info about the machine it has just infected
 (the name of the currently logged on user, date and time of the infection)
- make a copy of itself inside root directory of every drive as NTDETECT.EXE
- make a copy of itself inside %system% as System.exe, and continue execution from that new location
The new instance will run a separate thread that will perform the following actions, every 125 ms:
- rewrite the startup-registry key
- check if any of the malware files have been removed, in which case, it will simply re-create them
- make new copies of autorun.inf, boot.ini.ini and ntdetect.exe on every drive
- rewrite the registry keys with the following values:
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchHidden (new value = 0)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchSlowFiles (new value = 0)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchSystemDirs (new value = 0)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden (new value = 1)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt (new value = 1)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden (new value = 0)
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden (new value = 1)

Also, while the worm is active, regedit and taskmanager can't be executed (the worm will kill any instance of these programs).
In order to do this, it will search windows that have the title Registry Editor or Windows Task Manager.
Also, when a window with the title Folder Options is opened, the worm will minimize it and change its title to Registry error!.

The malware has a tricky mechanism of restoring the system or to stop execution (perhaps remnants since its author debugged it). It works as follows: the worm will check if there is any window having the title "!     Exit". If it finds it, it will change its title to "Type Exit Password". It will then check if that window has changed its title to the "exit password", which is "M13Exit". Also, it can restore the system by removing its malware files and the registry keys it has created. The mechanism is similar to the one described above: it will check if there is any window with the title "!     Restore". If it finds one, it will change its title to "Type Restore Password" and it will wait until its title changes. It will then check the new title and see if it is the restore password ("M13Restore"), in which case, it will disinfect the entire system. Another "command" that it can interpret is "!    ShowUsers". If it finds a window with that title, it will generate a .html file that contains a list with the infected computers until that moment.

 

Note: %system% reffers to the system directory, usually C:\Windows\system32.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Lutas Andrei Vlad, virus researcher