Full description

Virus:	Worm/Autorun.apt
Date discovered:	09/09/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	14.229 Bytes
MD5 checksum:	efd0575398fa48583d501fb6b9f7b2d3
IVDF version:	7.00.06.131 - Tuesday, September 9, 2008

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: W32.Rispif.A
   • Kaspersky: Worm.Win32.AutoRun.msz
   • F-Secure: Worm.Win32.AutoRun.msz
   • Bitdefender: Win32.Worm.Autorun.LW

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops a file
   • Drops a malicious file

Files It copies itself to the following locations:
   • %SYSDIR%\wuauclt.exe
   • %SYSDIR%\dllcache\wuauclt.exe
   • C:\LIS.PIF

The following files are created:

– c:\AUTORUN.INF This is a non malicious text file with the following content:
   • %code that runs malware%

– %SYSDIR%\Drivers\beep.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Rootkit.Gen

It tries to download some files:

– The location is the following:
   • http://m.c5x8.com/**********/10.exe
It is saved on the local hard drive under: C:\Documents and Settings\10.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/Agent.abpb.1

– The location is the following:
   • http://m.c5x8.com/**********/9.exe
It is saved on the local hard drive under: C:\Documents and Settings\9.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Agent.AJVA.5

– The location is the following:
   • http://m.c5x8.com/**********/8.exe
It is saved on the local hard drive under: C:\Documents and Settings\8.pif Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://m.c5x8.com/**********/7.exe
It is saved on the local hard drive under: C:\Documents and Settings\7.pif Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://m.c5x8.com/**********/6.exe
It is saved on the local hard drive under: C:\Documents and Settings\6.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/BHO.agk

– The location is the following:
   • http://m.c5x8.com/**********/5.exe
It is saved on the local hard drive under: C:\Documents and Settings\5.pif Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://m.c5x8.com/**********/4.exe
It is saved on the local hard drive under: C:\Documents and Settings\4.pif Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://m.c5x8.com/**********/3.exe
It is saved on the local hard drive under: C:\Documents and Settings\3.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.JKKF.16

– The location is the following:
   • http://m.c5x8.com/**********/2.exe
It is saved on the local hard drive under: C:\Documents and Settings\2.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: DR/Cinmus.rrl

– The location is the following:
   • http://m.c5x8.com/**********/1.exe
It is saved on the local hard drive under: C:\Documents and Settings\1.pif Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.XPACK.Gen

– The location is the following:
   • http://m.c5x8.com/**********/x.gif
It is saved on the local hard drive under: %PROGRAM FILES%\ee.pif Furthermore this file gets executed after it was fully downloaded. At the time of writing it was an updated version of the malware itself.

Process termination List of processes that are terminated:
   • VsTskMgr.exe; Avp.EXE; AVP.COM; Iparmor.exeKVWSC.EXE; kvsrvxp.exe;
      kvsrvxp.kxp; KvXP.kxp; KRegEx.exe; ANTIARP.exe; VPTRAY.exe; VPC32.exe;
      scan32.exe; KASARP.exe; nod32krn.exe; nod32kui.exe; TBMon.exe;
      rfwmain.exe; RavStub.exe; rfwstub.exe; rfwProxy.exe; rfwsrv.exe;
      UpdaterUI.exe; KPfwSvc; kwatch.exe; KAVPFW.EXE; kavstart.exe;
      kmailmon.exe; GFUpd.exe; Ravxp.exe; GuardField.exe; RAVMOND.EXE;
      RAVMON.EXE; CCenter.EXE; RAv.exe; Runiep.exe; ArSwp.EXE; SREngLdr.EXE;
      msconfig.EXE; rfwsrv.EXE; rfwProxy.EXE; rfwstub.EXE; RavStub.EXE;
      rfwmain.EXE; GFUpd.EXE; GuardField.EXE; Runiep.EXE; kavstart.EXE;
      kmailmon.EXE; kwatch.EXE; RAV.EXE; KASARP.EXE; ANTIARP.EXE;
      VPTRAY.EXE; VPC32.EXE; AutoRunKiller.EXE; Regedit.EXE;
      WOPTILITIES.EXE; Ast.EXE; Mmsk.EXE

Processes with one of the following strings are terminated:
   • Norton AntiVirus Server; McAfee Framework; Symantec AntiVirus
      Definition Watcher; Symantec AntiVirus Drivers Services; Symantec
      AntiVirus; worm; anti; virus; Firewall; Mcafee; NOD32; McShield

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Wednesday, September 10, 2008
Description updated by Thomas Wegele on Thursday, September 11, 2008

Back . . . .