Virus:Worm/Autorun.zvm
Date discovered:11/02/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:24.660 Bytes
MD5 checksum:2b52021892bbcf14e2f672787eab388f
IVDF version:7.01.02.09 - Wednesday, February 11, 2009

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.ex
   •  Panda: W32/Autorun.IST.worm
   •  Eset: Win32/AutoRun.Agent.JA
   •  Bitdefender: Trojan.Agent.AMQN


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Blocks access to security websites
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %drive%\recycle.{%CLSID%}\ini.exe



It copies itself to the following location. This file has random bytes appended so it may differ from the original one:
   • %WINDIR%\ini\ini.exe



It overwrites a file.
%SYSDIR%\drivers\etc\hosts



The following files are created:

%WINDIR%\ini\desktop.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%PROGRAM FILES%\Common Files\Microsoft Shared\MSInfo\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\Web Folders\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%WINDIR%\Tasks\ Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.zvm

%WINDIR%\ini\shit.vbs Further investigation pointed out that this file is malware, too. Detected as: TR/Script.11167

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\admcgi\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\TextConv\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\VGX\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\bin\1033\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\bots\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\DAO\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\servsupp\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\admisapi\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\Stationery\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\isapi\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\bin\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\Triedit\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%WINDIR%\ini\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\Speech\1033\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\Speech\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc

%PROGRAM FILES%\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts\wsock32.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.nvc




It tries to download some files:

– The location is the following:
   • http://w.wonthe.cn/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://w.ssddffgg.cn/d5/**********?mac=YHhYzoFSpF&ver=1.3
At the time of writing this file was not online for further investigation.

 Registry –  [HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
   • ActiveDebugging
   • DisplayLogo
   • SilentTerminate
   • UseWINSAFER



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}]
   • "@"="windir"
   • "stubpath"=hex:25,77,69,6E,64,69,72,25,5C,69,6E,69,5C,73,68,69,74,2E,76,62,73,00

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains is effectively blocked:
   • 127.0.0.1 www.360.cn; 127.0.0.1 www.360safe.cn; 127.0.0.1
      www.360safe.com; 127.0.0.1 www.chinakv.com; 127.0.0.1
      www.rising.com.cn; 127.0.0.1 rising.com.cn; 127.0.0.1 dl.jiangmin.com;
      127.0.0.1 jiangmin.com; 127.0.0.1 www.jiangmin.com; 203.208.37.99
      www.duba.net; 127.0.0.1 www.eset.com.cn; 127.0.0.1 www.nod32.com;
      203.208.37.99 shadu.duba.net; 203.208.37.99 union.kingsoft.com;
      127.0.0.1 www.kaspersky.com.cn; 127.0.0.1 kaspersky.com.cn; 127.0.0.1
      virustotal.com; 127.0.0.1 www.kaspersky.com; 127.0.0.1 60.210.176.251;
      127.0.0.1 www.cnnod32.cn; 127.0.0.1 www.lanniao.org; 127.0.0.1
      www.nod32club.com; 127.0.0.1 www.dswlab.com; 127.0.0.1 bbs.sucop.com;
      127.0.0.1 www.virustotal.com; 127.0.0.1 tool.ikaka.com; 127.0.0.0
      360.qihoo.com; 127.0.0.1 qihoo.com; 127.0.0.1 www.qihoo.com; 127.0.0.1
      www.qihoo.cn; 127.0.0.1 124.40.51.17; 127.0.0.1 58.17.236.92


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, February 25, 2010
Description updated by Petre Galan on Friday, February 26, 2010

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.