Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:22/10/2007
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~17.000 Bytes
IVDF version:

 General Method of propagation:
   • Mapped network drives

   •  Kaspersky: Worm.Win32.AutoRun.cxp
   •  F-Secure: Worm:W32/AutoRun.CX
   •  Grisoft: Downloader.Small.BYN
   •  Eset: Win32/TrojanDownloader.Flux.AC
   •  Bitdefender: Win32.Worm.Winko.I

Similar detection:
   •  Worm/Winko.I.%number%

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\%several random digits%.EXE
   • %drive%\auto.exe

It deletes the initially executed copy of itself.

The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\C%several random digits%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Autorun.CA

It tries to download a file:

– The location is the following:
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • Type = 10
   • Start = 2
   • ErrorControl = 1
   • ImagePath = %SYSDIR%\%several random digits%.EXE -k
   • DisplayName = %random character string%
   • ObjectName = LocalSystem
   • Description = C%several random digits%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Security]
   • Security = %hex values%

The following registry key including all values and subkeys is removed:
   • [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   New value:
   • CheckedValue = 0

– [HKLM\SOFTWARE\Microsoft\Windows NT]
   New value:
   • ReportBootOk= 1

– [HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
   New value:
   • DoReport = 0
   • ShowUI = 0

 Injection –  It injects the following file into a process: %SYSDIR%\C%several random digits%.dll

    All of the following processes:
   • explorer.exe
   • winlogon.exe
   • %all running processes%

   If successful, the malware process terminates while the injected part remains active.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Upack

Description inserted by Andrei Gherman on Monday, June 16, 2008
Description updated by Andrei Gherman on Thursday, June 19, 2008

Back . . . .