Virus:Worm/Winko.I
Date discovered:22/10/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~17.000 Bytes
IVDF version:7.00.00.117 - Monday, October 22, 2007

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.cxp
   •  F-Secure: Worm:W32/AutoRun.CX
   •  Grisoft: Downloader.Small.BYN
   •  Eset: Win32/TrojanDownloader.Flux.AC
   •  Bitdefender: Win32.Worm.Winko.I

Similar detection:
   •  Worm/Winko.I.%number%


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\%several random digits%.EXE
   • %drive%\auto.exe



It deletes the initially executed copy of itself.



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%SYSDIR%\C%several random digits%.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Autorun.CA




It tries to download a file:

– The location is the following:
   • http://33.xingaide8.cn/**********/update.txt
This file may contain further download locations and might serve as source for new threats.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%]
   • Type = 10
   • Start = 2
   • ErrorControl = 1
   • ImagePath = %SYSDIR%\%several random digits%.EXE -k
   • DisplayName = %random character string%
   • ObjectName = LocalSystem
   • Description = C%several random digits%

– [HKLM\SYSTEM\CurrentControlSet\Services\
   %random character string%\Security]
   • Security = %hex values%



The following registry key including all values and subkeys is removed:
   • [HKLM\SYSTEM\CurrentControlSet\Services\ERSvc]



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • CheckedValue = 0

– [HKLM\SOFTWARE\Microsoft\Windows NT]
   New value:
   • ReportBootOk= 1

– [HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting]
   New value:
   • DoReport = 0
   • ShowUI = 0

 Injection –  It injects the following file into a process: %SYSDIR%\C%several random digits%.dll

    All of the following processes:
   • explorer.exe
   • winlogon.exe
   • %all running processes%

   If successful, the malware process terminates while the injected part remains active.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Upack

Description inserted by Andrei Gherman on Monday, June 16, 2008
Description updated by Andrei Gherman on Thursday, June 19, 2008

Back . . . .