Full description

Virus:	TR/Autoit.WM
Date discovered:	20/01/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	545.758 Bytes
MD5 checksum:	123834811b7d6f9e1423f381e68d25a6
IVDF version:	7.01.01.152 - Tuesday, January 20, 2009

General Method of propagation:
   • Autorun feature

Aliases:
   • Symantec: W32.Harakit
   • Kaspersky: Worm.Win32.AutoIt.xl
   • TrendMicro: WORM_HARAKIT.FC
   • Sophos: Sus/Tiotua-A
   • Avast: AutoIt:Balero-C
   • Microsoft: Worm:Win32/Autorun.XK
   • Eset: Win32/Tifaut.D

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Third party control
   • Downloads malicious files
   • Registry modification

Files It copies itself to the following locations:
   • %SYSDIR%\csrcs.exe
   • %SYSDIR%\%random character string%.exe
   • C:\%random character string%\%random character string%\%gathered from the internet%.exe
   • %drive%\%random character string%.exe

It copies itself within an archive to the following location:
   • C:\%random character string%\%random character string%\%gathered from the internet%.zip

The following files are created:

– %SYSDIR%\autorun.in This is a non malicious text file with the following content:
   • %code that runs malware%

– %SYSDIR%\autorun.i This is a non malicious text file with the following content:
   • %code that runs malware%

– %drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download some files:

– The location is the following:
   • http://95.211.21.184:804/z/****
It is saved on the local hard drive under: %SYSDIR%\cftu.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://95.211.21.184:89/****
It is saved on the local hard drive under: %SYSDIR%\RegShellSM.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://thepiratebay.org/****

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "csrcs"="%SYSDIR%\csrcs.exe"

One of the following values is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "csrcs"="%SYSDIR%\csrcs.exe"

The following registry key is added:

– [HKLM\Software\Microsoft\DRM\amty]
   • "exp1"="408406541BC5BBE4DC197A2A0C46B9ACF2F90D96B151D7C7BCBD177741EE95F562E634D70EB70FB65FC8FBF3EC31261F"
   • "dreg"="408406541BC5BBE4DC197A2A0C46B9ACF2F90D96B151D7C7BCBD177641EE95F562E634D70EB70FB65FC8FBF0EC31261C8626D05B1ED70CC881A48DA07A7E1A99"
   • "fir"="x"
   • "kiu"="408406541BC5BBE4DC197A2A0C46B9AFF2F90D96B151D7C7BCBD177741EE958C62E634D70EB773B95FC8FBF0EC31261B8626D05B1ED70CC981A58DD77A7E64EBE121A6249AF4EF57624A6F9892029D504AF01C82DA09AF8C1E11E7C7C1DBB0E4C73A32413AEDD017317B4DD6134930AFBED5B4DE9732DD170CBA2B3D5055F2C5FAEBD5B5E320E57FAC7FF1B2E72784568EE6B66EBA34598D9DCBC155626987AC3FDCA60253FBE2E44B511E5AB957FD1A279E1A156BE3D057430F95C77B73E25AA592466217DE3CB8135AF486B8FFD8138B7490B696B777E429C0A0619658E4A44BEFB49C04967F02EF5BD2C14F82440C9BCDDD932103EA89479138700DFF6A4A"
   • "giru"="noneed"
   • "gix"="noneed"
   • "rp2"="noneed"
   • "cb3"="noneed"
   • "bwp1"="noneed"

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe csrcs.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • "CheckedValue"=dword:00000000
   New value:
   • "CheckedValue"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000001
   New value:
   • "Hidden"=dword:00000002
   • "SuperHidden"=dword:00000000
   • "ShowSuperHidden"=dword:00000000

Backdoor Contact server:
The following:
• http://www.5eb149c0.com:81/****

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Irina Diaconescu on Tuesday, October 26, 2010
Description updated by Andrei Ivanes on Monday, November 1, 2010

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Need to fix your PC?

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools