Full description

Virus:	Worm/AutoIt.YH
Date discovered:	18/08/2010
Type:	Worm
Subtype:	Downloader
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	641.728 Bytes
MD5 checksum:	a52344dbf51069a071bd6cf719ff8ddf
IVDF version:	7.10.10.208 - Wednesday, August 18, 2010

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Worm.Win32.AutoIt.yh
   • Avast: AutoIt:Balero-C
   • Panda: Trj/CI.A
   • DrWeb: Win32.HLLW.Autoruner.based
   • Ikarus: Worm.Win32.AutoIt

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Drops files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • %SYSDIR%\csrcs.exe
   • %SYSDIR%\%random character string%.exe
   • c:\%current directory%\%random character string%.exe

It deletes the initially executed copy of itself.

The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\aut1.tmp
   • %TEMPDIR%\%random character string%
   • %TEMPDIR%\aut2.tmp
   • %TEMPDIR%\%random character string%

– c:\%current directory%\s.cmd Furthermore it gets executed after it was fully created. This is a non malicious text file that contains information about the program itself.

It tries to download some files:

– The location is the following:
   • http://fl**********.exe
It is saved on the local hard drive under: %SYSDIR%\RegShellSM.exe Furthermore this file gets executed after it was fully downloaded.

– The location is the following:
   • http://9**********.exe
It is saved on the local hard drive under: %SYSDIR%\ip.exe Furthermore this file gets executed after it was fully downloaded.

Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "csrcs"="%SYSDIR%\csrcs.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "Hidden"=dword:00000002
   • "SuperHidden"=dword:00000000
   • "ShowSuperHidden"=dword:00000000

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"=dword:00000001

The following registry keys are added:

– [HKLM\Software\Microsoft\DRM\amty]
   • "ilop"="1"
   • "fix"=""
   • "fix1"="1"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "csrcs"="%SYSDIR%\csrcs.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
– [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "csrcs"="%SYSDIR%\csrcs.exe"

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Carlos Valero Llabata on Friday, August 20, 2010
Description updated by Andrei Ivanes on Thursday, August 26, 2010

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools