Symptoms

Removal instructions:

Analyzed By

Technical Description:

Trojan.AutoIt.TE is an AutoIt compiled script with folder icon in order to get the user to execute it. It spreads via Yahoo Messenger, removable drives and network shares.
    
When executed it will perform the following actions:
    
Creates a copy of itself with attributes "read-only", "hidden" and "system"    in:

• %SystemDir%\scvhost.exe
• %SystemDir%\blastclnnn.exe
• %WinDir%\scvhost.exe
• %WinDir%\hinhem.scr

    
Modifies the following registry keys to run one of its copies at each Windows start:

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell -> Explorer.exe scvhost.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger -> %SystemDir%\scvhost.exe

Disables the Tools -> Folder Options menu item in Windows Explorer by setting the
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions registry key to 1. Thus the user cannot change the view hidden files and folders setting, to view the hidden copies of the trojan.
       
Disables Task Manager and Registry Editor by setting the following registry keys to 1:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

Modifies the HKLM\System\CurrentControlSet\Services\Schedule\AtTaskMaxHours registry key to 0, to remove the default timeout period for scheduled tasks.Cancels all the scheduled tasks and creates a new scheduled task which will execute the copy created in %SystemDir%\blastclnnn.exe every day at 09:00.
       
Creates the file %SystemDir%\autorun.ini with the following content:
        [Autorun]
        Open=scvhost.exe
        Shellexe cute=scvhost.exe
        Shell\Open\command=scvhost.exe
        Shell=Open
The above mentioned file will be copied to removable devices or network shares and will execute the malware.
       
Downloads a file into %SystemDir%\setting.ini from one of the following addresses:

• http://set[removed].9999mb.com/setting.doc
• http://set[removed].9999mb.com/setting.xls
• http://set[removed].yeahost.com/setting.doc
• http://set[removed].yeahost.com/setting.xls
• http://www.free[removed]/setting3/setting.doc
• http://www.free[removed]/setting3/setting.xls

The downloaded file contains an url and the name of 5 executables, which will be downloaded and executed. At the time of writing this, the url was offline.
    
%SystemDir%\setting.ini also contains another url and some messages in vietnamese. The trojan will search for an opened Yahoo Messenger window and sends the url, a randomly choosen message from the downloaded ones and one of his copies to all persons from the user's contact list.
    
It reads the value of the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared registry key to obtain the names of the shared drives. It then copies itself in the root of each shared drive as New Folder.exe. To be executed automatically when the network share is accessed will copy the %SystemDir%\autorun.ini file as autorun.inf to each shared drive. It also will search for directories on shared drives and will copy itself into each directory as %DirectoryName%.exe.
    
It searches for running instances of the BKAVPro antivirus, kills the process and deletes the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw.
        
It will close the following windows if opened:

• cmd.exe
• mmc.exe
• System Configuration
• Windows Task
• Registry    

If it will notice the presence of FireLion anti keylogger it will shut down the system.