Virus:Worm/Autorun.ZZA
Date discovered:24/07/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:282.565 Bytes
MD5 checksum:ea072faa2d9596905c94c2effe952c5b
IVDF version:7.01.05.28 - Friday, July 24, 2009

 General Method of propagation:
• Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.c virus
   •  Sophos: W32/Autoit-GH
   •  Eset: Win32/AutoRun.Autoit.BU
   •  Bitdefender: Win32.Worm.Autoit.DK


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %HOME%\Start Menu\Programs\Startup\sndvol32.exe
   • %TEMPDIR%\svchost.com
   • %HOME%\Templates\cache\vmx.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\sndvol32.exe
   • %SYSDIR%\fdisk.com
   • %drive%\Thumbs.db



The following files are created:

– %HOME%\Templates\cache\desktop.ini
– %HOME%\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini
– %recycle bin%\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini
– %recycle bin%\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db
– %HOME%\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db
– %HOME%\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\tmp.db
– %recycle bin%\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\tmp.db
%TEMPDIR%\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\tmp.db
%TEMPDIR%\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db



It tries to download some files:

– The location is the following:
   • http://https.ath.cx/Files/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://https.ath.cx/Files/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://neothedm.isa-geek.org/Files/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://neothedm.isa-geek.org/**********
At the time of writing this file was not online for further investigation.

 Registry To each registry key one of the values is added in order to run the processes after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "HotKey"="%HOME%\Templates\cache\vmx.exe"
   • "User Agent"="%TEMPDIR%\svchost.com"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HotKey"="%HOME%\Templates\cache\vmx.exe"
   • "User Agent"="%SYSDIR%\fdisk.com"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\USBGUARD.EXE]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\VPTRAY.EXE]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pctstray.exe]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVGNT.EXE]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\AVP.EXE]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mmc.exe]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\System]
   • "DisableGPO"=dword:0x00000001

– [HKCU\Software\vlad]
   • "iminf"="2.0.0.2"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • "debugger"="notepad"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\pctsgui.exe]
   • "debugger"="notepad"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ashdisp.exe]
   • "debugger"="notepad"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "GlobalUserOffline"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:0x00000002
   • "HideFileExt"=dword:0x00000002
   • "ShowSuperHidden"=dword:0x00000000

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="explorer.exe %SYSDIR%\fdisk.com"
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\fdisk.com"

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   New value:
   • "LocalProxy"="-1"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   New value:
   • "load"="%TEMPDIR%\svchost.com"
   • "run"="%TEMPDIR%\svchost.com"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NofolderOptions"=dword:0x00000001

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, December 14, 2009
Description updated by Petre Galan on Monday, December 14, 2009

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.