Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Autorun.bnbb
Date discovered:03/09/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:102.400 Bytes
MD5 checksum:FC69E6109E881EA62B98B68597033B86
IVDF version:7.10.11.85 - Friday, September 3, 2010

 General Method of propagation:
    Autorun feature
    Messenger
   • Peer to Peer


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.bnbb
   •  TrendMicro: WORM_AUTORUN.EV
     Microsoft: Worm:Win32/Pushbot.TG
   •  VirusBuster: Worm.AutoRun.AWGO
   •  Eset: Win32/AutoRun.IRCBot.FC
     DrWeb: Win32.HLLW.Autoruner.27464
     Fortinet: W32/AutoRun.BNBB!worm
     Ikarus: Worm.Win32.Pushbot
     Norman: W32/VBTroj.CYQQ


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Third party control
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\Sontiwin.exe
   • %drive%\%random character string%.exe



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Ci Servs"="Sontiwin.exe"

  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Ci Servs"="Sontiwin.exe"



It creates the following entry in order to bypass the Windows XP firewall:

[HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed
      file%
"="%malware execution directory%\%executed
      file%
:*:Enabled:Ci Servs"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It searches for directories that contain one of the following substrings:
   • winmx\shared\
   • tesla\files\
   • limewire\shared\
   • morpheus\my shared folder\
   • emule\incoming\
   • edonkey2000\incoming\
   • bearshare\shared\
   • grokster\my grokster\
   • icq\shared folder\
   • kazaa lite k++\my shared folder\
   • kazaa lite\my shared folder\
   • kazaa\my shared folder\

   If successful, the following files are created:
   • porno.scr; headjobs.scr; ilovetofuck.scr;
      FREEPORN.exe,fuckshitcunt.scr; Autoloader.exe; Wireshark.exe;
      DDOSPING.exe; ScreenMelter.exe; How-to-make-money.exe; Ebooks.exe;
      WildHorneyTeens.scr; RapidsharePREMIUM.exe; LimeWireCrack.exe;
      Porno.MPEG.exe; image.scr; VistaUltimate-Crack.exe; paris-hilton.scr;
      MSNHacks.exe; YahooCracker.exe; HotmailHacker.exe


 Messenger It is spreading via Messenger. The characteristics are described below:

Windows Live Messenger

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: irc.metra****.com
Port: 6567

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Irina Diaconescu on Friday, October 29, 2010
Description updated by Irina Diaconescu on Friday, November 5, 2010

Back . . . .