My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.AutoIt.TD

MEDIUM
MEDIUM
464 KB
(Worm:Win32/Sohonad, W32/YahLover.worm.gen, W32.Imaut.N)

Symptoms

The following files will be found on an infected computer:
    C:\Windows\RVHOST.exe
    C:\Windows\system32\RVHOST.exe

The following file will be found on infected removable storages:
     \New Folder.exe

Other symptoms: disabled Task Manager, disabled Registry Editor
 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Roxana Gherle, virus researcher

Technical Description:

Trojan.AutoIt.TD is an AutoIt compiled script, which has a folder icon in order to trigger the user to execute it. Upon execution it will perform the following malicious actions:

- creates the following two copies of itself:
    C:\Windows\RVHOST.exe - with folder icon
    C:\Windows\system32\RVHOST.exe - hidden file

- adds the following registry keys in order to be run at every system startup:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Name: Yahoo Messengger
    Value: C:\Windows\system32\RVHOST.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
    Name: Shell
    Value: Explorer.exe RVHOST.exe

- spreads via Yahoo! Messenger by sending messages triggering users to click on the link http://nhattroun[removed].0catch.com

- deletes all schduled tasks using the following command line:
    cmd.exe /C AT /delete /yes
and then creates its own sheduled task using the following command:
    cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
which will be used to run one of the copy of the malware every day at 9 am.
   
- tries to download the following files on user's computer
    http://nhatquan[removed].0catch.com/setting.nql
    http://nhatquan[removed].0catch.com/setting.xls
    http://www.freewebs.com/nhattroun[removed]/setting.nql
    http://www.freewebs.com/nhattroun[removed]/setting.xls    

- copies itself on all removable devices connected to the infected computer under the name \NewFolder.exe

- copies itself as a shared resource on the network and adds the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
    Name: shared
    Value: \NewFolder.exe

- modifies the following registry keys:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools = 0x00000001 - disable registry tools         
    DisableTaskMgr = 0x00000001 - disable task manager