Full description

Virus:	TR/Autorun.27648
Date discovered:	19/05/2008
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	27648 Bytes
MD5 checksum:	25df082e988842e1604b5a893572a083
IVDF version:	7.00.04.62 - Monday, May 19, 2008

General Method of propagation:
   • Mapped network drives

Aliases:
   • Mcafee: W32/Autorun.worm.f
   • Kaspersky: Worm.Win32.AutoRun.cpi
   • F-Secure: Worm.Win32.AutoRun.cpi
   • Sophos: W32/Autorun-BC
   • Grisoft: Worm/Generic.FNV
   • Eset: Win32/AutoRun.GR
   • Bitdefender: Worm.Autorun.Delf.H

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads files
   • Drops files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • %WINDIR%\system.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Explorer.exe
   • %drive%\auto.exe

The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download some files:

– The locations are the following:
   • http://72.232.108.82/~grimsby/**********/button1.jpg
   • http://72.232.108.82/~grimsby/**********/button1.pdf
   • http://72.232.108.82/~grimsby/**********/button1.png
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.pdf
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.png
   • http://72.232.141.84/~cgitnet/**********/ChangeLog.txt
   • http://72.232.208.150/~aryacdc/**********/toc.gif
   • http://72.232.208.150/~aryacdc/**********/toc.pdf
   • http://72.232.208.150/~aryacdc/**********/toc.png
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.pdf
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.png
   • http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.tpl
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.pdf
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.png
   • http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.tpl
At the time of writing this file was not online for further investigation.

It tries to executes the following file:

– Filename:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe
using the following command line arguments: http://70.86.197.82/~ohnishi/**********/test2.htm

Registry The following registry keys including all values and subkeys are removed:
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
   • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Bkav2006.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\IEProt.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdss.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\xcommsvr.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\livesrv.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\worm2007.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kav.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVOL.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TBMon.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kav32.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvwsc.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCAPP.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\EGHOST.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KRegEx.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavsvc.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPTray.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RAVMON.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KavPFW.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SHSTAT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TrojDie.kxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Iparmor.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MAILMON.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MCAGENT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KAVPLUS.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rtvscan.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Nvsvc32.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Kvsrvxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KpopMon.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RfwMain.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KWATCHUI.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MCVSESCN.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSKAGENT.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kvolself.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVCenter.kxp.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavstart.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RAVTIMER.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RRfwMain.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\FireTray.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UpdaterUI.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXp_1.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavService.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\icesword.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmd.exe]
   • Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\far.exe]
   • Debugger = system.exe

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • Shell = Explorer.exe
   • Userinit = %SYSDIR%\userinit.exe
   New value:
   • Shell = Explorer.exe, System
   • Userinit = %SYSDIR%\userinit.exe, System

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
   New value:
   • content url = http://clickmanu.com

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
   New value:
   • content url = http://clickmanu.com

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableTaskMgr = 1
   • DisableRegistryTools = 1

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableTaskMgr = 1
   • DisableRegistryTools = 1

Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • Start Page = %user defined settings%
   New value:
   • Start Page = http://clickmanu.com

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • NoDriveTypeAutoRun = dword:00000091
   • NoRun = 1
   • NoFolderOptions = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • Hidden = 2
   • ShowSuperHidden = 0
   • HideFileExt = 1

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • CheckedValue = 0

– [HKCU\Software\Microsoft\Command Processor]
   New value:
   • EnableExtensions = 0

– [HKCU\Software\Microsoft\Internet Explorer\New Windows]
   New value:
   • PopupMgr = 0

Process termination Disallow run processes that contain one of the following strings in the filename:
   • Bkav2006.exe; IEProt.exe; bdss.exe; vsserv.exe; bdagent.exe;
      xcommsvr.exe; livesrv.exe; worm2007.exe; PFW.exe; Kav.exe; KVOL.exe;
      KVFW.exe; TBMon.exe; kav32.exe; kvwsc.exe; CCAPP.exe; EGHOST.exe;
      KRegEx.exe; kavsvc.exe; VPTray.exe; RAVMON.exe; KavPFW.exe;
      SHSTAT.exe; RavTask.exe; TrojDie.kxp.exe; Iparmor.exe; MAILMON.exe;
      MCAGENT.exe; KAVPLUS.exe; RavMonD.exe; Rtvscan.exe; Nvsvc32.exe;
      KVMonXP.exe; Kvsrvxp.exe; CCenter.exe; KpopMon.exe; RfwMain.exe;
      KWATCHUI.exe; MCVSESCN.exe; MSKAGENT.exe; kvolself.exe;
      KVCenter.kxp.exe; kavstart.exe; RAVTIMER.exe; RRfwMain.exe;
      FireTray.exe; UpdaterUI.exe; KVSrvXp_1.exe; RavService.exe;
      icesword.exe; cmd.exe; far.exe

List of services that are disabled:
   • sharedaccess; RsCCenter; RsRavMon; KVWSC; KVSrvXP; McAfeeFramework;
      McShield; McTaskManager; navapsvc; wscsvc; KPfwSvc; SNDSrvc; ccProxy;
      ccEvtMgr; ccSetMgr; SPBBCSvc; Symantec Core LC; NPFMntor; MskService;
      FireSvc

File details Programming language:
The malware program was written in Delphi.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Andrei Gherman on Friday, June 13, 2008
Description updated by Andrei Gherman on Friday, June 13, 2008

Back . . . .