需要修复电脑?
聘请专家
Virus:Worm/AutoIt.YH
Date discovered:18/08/2010
Type:Worm
Subtype:Downloader
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:641.728 Bytes
MD5 checksum:a52344dbf51069a071bd6cf719ff8ddf
IVDF version:7.10.10.208 - Wednesday, August 18, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Worm.Win32.AutoIt.yh
     Avast: AutoIt:Balero-C
   •  Panda: Trj/CI.A
     DrWeb: Win32.HLLW.Autoruner.based
     Ikarus: Worm.Win32.AutoIt


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows Server 2008
    Windows 7


Side effects:
   • Drops files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\csrcs.exe
   • %SYSDIR%\%random character string%.exe
   • c:\%current directory%\%random character string%.exe



It deletes the initially executed copy of itself.



The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\aut1.tmp
   • %TEMPDIR%\%random character string%
   • %TEMPDIR%\aut2.tmp
   • %TEMPDIR%\%random character string%

c:\%current directory%\s.cmd Furthermore it gets executed after it was fully created. This is a non malicious text file that contains information about the program itself.



It tries to download some files:

The location is the following:
   • http://fl**********.exe
It is saved on the local hard drive under: %SYSDIR%\RegShellSM.exe Furthermore this file gets executed after it was fully downloaded.

The location is the following:
   • http://9**********.exe
It is saved on the local hard drive under: %SYSDIR%\ip.exe Furthermore this file gets executed after it was fully downloaded.

 Registry The following registry keys are added in order to load the services after reboot:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "csrcs"="%SYSDIR%\csrcs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "Hidden"=dword:00000002
   • "SuperHidden"=dword:00000000
   • "ShowSuperHidden"=dword:00000000

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"=dword:00000001



The following registry keys are added:

[HKLM\Software\Microsoft\DRM\amty]
   • "ilop"="1"
   • "fix"=""
   • "fix1"="1"

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "csrcs"="%SYSDIR%\csrcs.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "csrcs"="%SYSDIR%\csrcs.exe"

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

说明添加者: Carlos Valero Llabata 打开 2010年8月20日星期五
说明更新者: Andrei Ivanes 打开 2010年8月26日星期四

反馈 . . . .
https:// 为了你的安全,此窗口已加密。