SHARE
THIS ON

Facebook Twitter Google Plus

Worm.AutoIt.B

MEDIUM
LOW
~524 kbytes
(Trojan.Win32.Autoit.bs Win32/Autoit.BO Trojan:Win32/Malagent Worm/Autoit.OJ)

Symptoms

The following process is running: MsRun32.exe

The following files will be found on an infected computer:
%SYSTEMDIRECTORY%\MsRun32.exe (524 K)
%WINDIR%\MsRun32.exe (524 K)

%SYSTEMDIRECTORY%\autorun.ini with the following configuration:
[Autorun]
Open=MsRun32.exe
Shellexe cute=MsRun32.exe
Shell\Open\command=MsRun32.exe
Shell=Open

The following registry entry will be found:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSN Messengger" = %SYSTEMDIRECTORY%\MsRun32.exe
 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Robert Szasz, virus researcher

Technical Description:

This worm is an AutoIt compiled script that has a word document icon in order to trigger the user to run it.
If run, it will perform the following actions:

- creates the following copies of itself:
    %SYSTEMDIRECTORY%\MsRun32.exe
    %WINDIR%\MsRun32.exe

- add/modify the following registry keys:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = Explorer.exe MsRun32.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MSN Messengger" = C:\WINDOWS\system32\MsRun32.exe

    -with these 2 entries adds itself to startup.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = 1
"DisableTaskMgr" = 1

    -disable registry tools and the task manager.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NofolderOptions" = 1

    -disable the access to Tools | Folder Options in Windows Explorer
   

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

    

    - Spreads via shared drives by checking the values within the following registry subkey:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares]
"shared" = \True_Love.exe
    Then copies itself in the root of the found shared drives with the name MsRun32 and copies autorun.ini too.
    Then copies itself as True_Love.exe to the last entry.
    
- creates a file named autorun.ini in %SYSTEMDIRECTORY% in order to spread itself on removable drives too(with the name True_Love.exe)

- kills processes with the following name:
    "System Configuration"
    "Registry"
    "Windows Task"
    "cmd.exe"
    
- spreads over Yahoo Messengers with the following messages:
    "see this comedy joke click on this link http://tinyurl.com/2[...]5"
    "Ha ha ha click on link to laugh ... http://tinyurl.com/2[...]5"
    "what a joke ...... http://tinyurl.com/2[...]5"
    "nice one see this .... http://tinyurl.com/2[...]5"
    "what a joke .....click to see  http://tinyurl.com/2[...]5"
    "what a joke ...... http://tinyurl.com/2[...]5"
    "nice to listen .......... http://tinyurl.com/2[...]5"
    "what is this ? ......see  http://tinyurl.com/2[...]5"
    "i am busy you click on a link and see ... http://tinyurl.com/2[...]5"
    "what is this ? ......see  http://tinyurl.com/2[...]5"

Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources