Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Ainslot.A.532
Date discovered:06/04/2011
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:322.560 Bytes
MD5 checksum:0a0e22bb7024d3aa55b14e34ac945e8e
VDF version:7.11.05.210 - Wednesday, April 6, 2011
IVDF version:7.11.05.210 - Wednesday, April 6, 2011

 General Methods of propagation:
   • Autorun feature
   • Peer to Peer


Aliases:
   •  Kaspersky: Worm.Win32.AutoRun.cfsn
   •  F-Secure: Worm.Win32.AutoRun.cfsn
   •  Bitdefender: Worm.Generic.316722
   •  GData: Worm.Generic.316722
   •  DrWeb: Trojan.Winlock.2876


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %HOME%\Application Data\explorer.exe
   • %drive%\explorer.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %HOME%\Application Data\data.dat



It tries to execute the following files:

– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f


– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%HOME%\Application Data\explorer.exe" /t REG_SZ /d "%HOME%\Application Data\explorer.exe":*:Enabled:Windows Messanger" /f


– Filename:
   • cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "%executed file%" /t REG_SZ /d "%executed file%:*:Enabled:Windows Messanger" /f

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Explorer.ee"="%HOME%\Application Data\explorer.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Explorer.ee"="%HOME%\Application Data\explorer.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   run]
   • "Explorer.ee"="%HOME%\Application Data\explorer.exe"



It creates the following entries in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DoNotAllowExceptions"=dword:0x00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%HOME%\Application Data\explorer.exe"="%HOME%\Application Data\explorer.exe:*:Enabled:Windows Messanger"
   • "%executed file%"="%executed file%:*:Enabled:Windows Messanger"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {EAFAE9F3-D9FF-3338-D961-D2AE8EED8AC4}]
   • "StubPath"="%HOME%\Application Data\explorer.exe"

– [HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {EAFAE9F3-D9FF-3338-D961-D2AE8EED8AC4}]
   • "StubPath"="%HOME%\Application Data\explorer.exe"

– [HKCU\Software\VB and VBA Program Settings\SrvID\ID]
   • "AHH6SVXFHH"="WiFi Bot"

– [HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
   • "AHH6SVXFHH"="%current date%"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves shared folders by querying the following registry keys:
   • Software\Kazaa\LocalContent
   • Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule


 Backdoor Contact server:
The following:
   • blackwifi.no-**********.biz:2222 (TCP)


 Stealing It tries to steal the following information:

– Passwords from the following programs:
   • Internet Explorer
   • Mozilla Firefox
   • Valve Steam

– A logging routine is started after a website is visited:
   • https://onlineeast.bankofamerica.com

 Injection – It injects a backdoor routine into a process.

    Process name:
   • explorer.exe


 Miscellaneous Accesses internet resources:
   • http://api.ipinfodb.com/v2/**********?key


Mutex:
It creates the following Mutexes:
   • AHH6SVXFHH_pers
   • AHH6SVXFHH

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, June 15, 2011
Description updated by Petre Galan on Wednesday, June 15, 2011

Back . . . .