My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autorun.UB

LOW
LOW
24 KB
(Worm.Win32.AutoRun.aqpt, Worm:Win32/Emold.U )

Symptoms

-presence of the file "C:\Windows\system32\logon.exe"
-presence of the registry key
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell" with the value "Explorer.exe logon.exe"

-presence of the files "autorun.exe" (copy of the malware) and "autorun.inf" on infected removable drives
 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Roxana Gherle, virus researcher

Technical Description:

Upon execution this worm will make a copy of itself at "C:\Windows\system32\logon.exe".
It will modify the following registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell" with the value "Explorer.exe logon.exe"
which will execute the malware at every user's logon.

The worm will inject malicious code into the memory space of "svchost.exe" and "explorer.exe" processes, after which it will terminate its process in order to hide its presence.


From the memory space of  "svchost.exe" process it will perform the following malicious actions:
   - replaces one driver from "C:\Windows\system32\DRIVERS" (for example asyncmac.sys) with a malicious driver which can collect various system information and can hook a set of important Windows API functions.  
   - starts a service for the malicious driver  and then hides his traces by replacing the file on the disk with the original clean driver.
   - sends to the address "http://myblogs.[removed]/news" the Windows Product ID of the infected machine
   - it will spread itself on removable drives by copying itself as "autorun.exe" and creating an "autorun.inf" file which will contain the following commands in order to automatically run the worm on the machine to which the removable drive is connected:
    open=autorun.exe
     shellexecute=autorun.exe
     shell\Explore\command=autorun.exe
     shell\Open\command=autorun.exe
     shell=Explore

From the memory space of  "explorer.exe" process the worm will delete itself in order to clean its traces.