Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.hib
Date discovered:16/02/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:345.849 Bytes
MD5 checksum:4a904202c22f6dadd3f1012206bee466
VDF version:7.10.08.215
IVDF version:7.11.03.121 - Wednesday, February 16, 2011

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.g
   •  Kaspersky: Worm.Win32.AutoRun.hib
   •  Sophos: W32/AutoRun-BNR
   •  Bitdefender: Trojan.Autoit.ANK
   •  Panda: W32/Autorun.JDC
   •  GData: Trojan.Autoit.ANK


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\system32_.exe
   • %SYSDIR%_.exe
   • %MAPPED DRIVE%\%all directories%\%directory name%.exe
   • %drive%\system32_.exe



It deletes the following files:
   • C:\System Volume Information\%all files%
   • C:\System Volume Information



The following files are created:

%SYSDIR%\autorun.ini
%drive%\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to execute the following files:

– Filename:
   • %SYSDIR%\cmd.exe /C AT /delete /yes


– Filename:
   • %SYSDIR%\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\system32_.exe


– Filename:
   • %SYSDIR%\cmd.exe /C cacls "C:\system volume information" /e /g "%current username%":f

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN]
   • "RunOnceComplete"=dword:0x00000001
   • "RunOnceHasShown"=dword:0x00000001

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   • "HomePage"=dword:0x00000001

– [HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   • "HomePage"=dword:0x00000001

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   • "RunOnceComplete"=dword:0x00000001
   • "RunOnceHasShown"=dword:0x00000001



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\
   {0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
   New value:
   • "URL"="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

– [HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN]
   New value:
   • "Default_Page_URL"="http://h1.ripway.com/google121/index.html"
   • "Default_Search_URL"="http://h1.ripway.com/google121/index.html"
   • "Search Page"="http://h1.ripway.com/google121/index.html"
   • "Start Page"="http://h1.ripway.com/google121/index.html"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Start Page"="http://h1.ripway.com/google121/index.html"

– [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\
   {0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
   New value:
   • "URL"="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

 Miscellaneous Accesses internet resources:
   • http://recovery.myvnc.com/**********;
      http://h1.ripway.com/sdb070/**********;
      http://h1.ripway.com/sdb054/**********;
      http://h1.ripway.com/sdb055/**********;
      http://h1.ripway.com/sdb056/**********;
      http://h1.ripway.com/sdb057/**********;
      http://h1.ripway.com/sdb058/**********;
      http://h1.ripway.com/sdb059/**********;
      http://h1.ripway.com/sdb060/**********;
      http://h1.ripway.com/sdb061/**********;
      http://h1.ripway.com/sdb062/**********;
      http://h1.ripway.com/sdb063/**********;
      http://h1.ripway.com/sdb064/**********;
      http://h1.ripway.com/sdb065/**********;
      http://h1.ripway.com/sdb066/**********;
      http://h1.ripway.com/sdb067/**********;
      http://h1.ripway.com/sdb068/**********;
      http://h1.ripway.com/sdb069/**********;
      http://h1.ripway.com/sdb053/**********;
      http://h1.ripway.com/sdb071/**********;
      http://h1.ripway.com/sdb072/**********;
      http://h1.ripway.com/sdb073/**********;
      http://h1.ripway.com/sdb074/**********;
      http://h1.ripway.com/sdb075/**********;
      http://h1.ripway.com/sdb076/**********;
      http://h1.ripway.com/sdb077/**********;
      http://h1.ripway.com/sdb078/**********;
      http://h1.ripway.com/sdb079/**********;
      http://h1.ripway.com/sdb080/**********;
      http://h1.ripway.com/sdb081/**********;
      http://h1.ripway.com/sdb082/**********;
      http://h1.ripway.com/sdb083/**********;
      http://h1.ripway.com/sdb084/**********;
      http://h1.ripway.com/sdb085/**********;
      http://h1.ripway.com/sdb086/**********;
      http://h1.ripway.com/sdb087/**********;
      http://h1.ripway.com/sdb088/**********;
      http://h1.ripway.com/sdb089/**********;
      http://h1.ripway.com/sdb090/**********;
      http://h1.ripway.com/sdb091/**********;
      http://h1.ripway.com/sdb092/**********;
      http://h1.ripway.com/sdb093/**********;
      http://h1.ripway.com/sdb094/**********;
      http://h1.ripway.com/sdb095/**********;
      http://h1.ripway.com/sdb096/**********;
      http://h1.ripway.com/sdb097/**********;
      http://h1.ripway.com/sdb098/**********;
      http://h1.ripway.com/sdb099/**********;
      http://h1.ripway.com/sdb0100/**********


Mutex:
It creates the following Mutex:
   • test

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, April 13, 2011
Description updated by Petre Galan on Friday, April 15, 2011

Back . . . .