Full description

Virus:	Worm/Autorun.56832
Type:	Worm
In the wild:	No
Reported Infections:	Medium to high
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	56.832 Bytes
MD5 checksum:	79fa1117ce826e75b0f25dbc87eb4a73
IVDF version:	7.00.03.105 - Wednesday, April 2, 2008

General Methods of propagation:
   • No own spreading routine
   • Mapped network drives

Aliases:
   • Kaspersky: Worm.Win32.AutoRun.dgb
   • F-Secure: Worm.Win32.AutoRun.dgb
   • Sophos: Mal/Generic-A
   • Bitdefender: Trojan.Agent.AHUY

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows CE

Side effects:
   • Drops files
   • Registry modification
   • Makes use of software vulnerability

Files It copies itself to the following locations:
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\csrss.exe
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\smss.exe
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\lsass.exe
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\services.exe
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
   • %sysdir%\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
   • C:\MyImages.exe
   • C:\J3MbataN K4HaYan.exe
   • C:\PaLMa.exe
   • C:\Friendster Community.exe
   • C:\FoToKu 1-4-2008.exe
   • C:\Images\MalAm MinGGuan.exe
   • C:\Images\_PAlbTN\Ke.. TaUan N90C0k.exe
   • C:\Images\M0D3L_P4ray_ 2008.exe
   • C:\Images\Ce_Pen9God4.exe
   • C:\Images\_PAlbTN\PraPtih G4diEs PuJAAnku.exe
   • C:\Images\J34ñNy_Mö3tZ_CuTE.exe
   • C:\Images\NonKroNG DJem8ataN K4H4yan.exe
   • C:\Images\_PAlbTN\SirKuit BaLi SmunZa.exe
   • C:\Images\TrenD 9aya RAm8ut 2008.exe
   • C:\Images\_PAlbTN\Ma5tURbas1 XL1M4xs.exe
   • D:\MyImages.exe
   • D:\J3MbataN K4HaYan.exe
   • D:\PaLMa.exe
   • D:\Friendster Community.exe
   • D:\FoToKu 1-4-2008.exe
   • D:\Images\MalAm MinGGuan.exe
   • D:\Images\_PAlbTN\Ke.. TaUan N90C0k.exe
   • D:\Images\NonKroNG DJem8ataN K4H4yan.exe
   • D:\Images\_PAlbTN\SirKuit BaLi SmunZa.exe
   • D:\Images\J34ñNy_Mö3tZ_CuTE.exe
   • D:\Images\TrenD 9aya RAm8ut 2008.exe
   • D:\Images\_PAlbTN\Ma5tURbas1 XL1M4xs.exe
   • D:\Images\M0D3L_P4ray_ 2008.exe
   • D:\Images\Ce_Pen9God4.exe
   • D:\Images\_PAlbTN\PraPtih G4diEs PuJAAnku.exe

The following files are created:

– C:\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– D:\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %sysdir%\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpDaTer
   • "%SYSDIR%\~A~m~B~u~R~a~D~u~L~²\csrss.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate
   • "%SYSDIR%\~A~m~B~u~R~a~D~u~L~²\smss.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis
   • "%SYSDIR%\~A~m~B~u~R~a~D~u~L~²\lsass.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep
   • "%SYSDIR%\~A~m~B~u~R~a~D~u~L~²\services.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
   RealTimeProtector
   • "%SYSDIR%\~A~m~B~u~R~a~D~u~L~²\winlogon.exe"

The following registry keys are added:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\install.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\setup.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ansav.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Ansavgd.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\boot.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\cmd.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HOKAGE4.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\HokageFile.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Instal.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KakashiHatake.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kspool.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kspoold.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmc.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msiexec.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Obito.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-CLN.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\PCMAV-RTP.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Rin.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rstrui.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SMP.exe\Debugger
   • "cmd.exe /c del"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\taskkill.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\tasklist.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\wscript.exe\Debugger
   • "rundll32.exe"

– HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI
   • 0x00000001

– HKU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
   DisableRegistryTools
   • 0x00000001

– HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\
   DisableConfig
   • 0x00000001

– HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
   • 0x00000001

Network Infection Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• Upx 2.90 LZMA

Description inserted by Irina Diaconescu on Friday, April 18, 2008
Description updated by Irina Diaconescu on Wednesday, April 23, 2008

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools