Virus:Worm/Autorun.cns.1
Date discovered:17/03/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:258.605 Bytes
MD5 checksum:b72d63816a33badaa2e96c3ad4552640
VDF version:7.00.03.30
IVDF version:7.00.03.34 - Monday, March 17, 2008

 General Methods of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Autorun.worm.c
   •  Kaspersky: Worm.Win32.AutoRun.cns
   •  F-Secure: Worm.Win32.AutoRun.cns
   •  Eset: Win32/Autoit.CA
   •  Bitdefender: Trojan.Autorun.QN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:



 Files It copies itself to the following locations:
   • %SYSDIR%\explorcr.exe
   • %drive%\explorcr.exe



It deletes the following files:
   • %WINDIR%\system.ini
   • %WINDIR%\win.ini
   • C:\ntldr
   • %PROGRAM FILES%\ESET\nod32.exe
   • %PROGRAM FILES%\ESET\nod32krn.exe
   • %PROGRAM FILES%\ESET\nod32kui.exe
   • %PROGRAM FILES%\Windows Media Player\wmplayer.exe



The following files are created:

%WINDIR%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "explorcr"="%SYSDIR%\explorcr.exe"



The following registry keys are changed:

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system]
   Old value:
   • DisableTaskMgr=dword:00000000
   • DisableRegistryTools=dword:00000000
   New value:
   • DisableTaskMgr=dword:00000001
   • DisableRegistryTools=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • NoDriveTypeAutoRun=dword:00000091
   New value:
   • NoDriveTypeAutoRun=dword:0000005b

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • NoFolderOptions=dword:00000000
   New value:
   • NoFolderOptions=dword:00000001

 Process termination The active processes memory is searched for the following strings. If successful the processes become terminated.:
   • cmd.exe
   • handydriver.exe
   • kerneldrive.exe
   • nod32krn.exe
   • nod32kui.exe
   • winsystem.exe
   • Wscript.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Ana Maria Niculescu on Wednesday, July 30, 2008
Description updated by Andrei Gherman on Thursday, July 31, 2008

Back . . . .