Home / malware Worm:Win32/Autorun.AEB
First posted on 11 February 2012.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Autorun.AEB.
Explanation :
Worm:Win32/Autorun.AEB is a worm that spreads via removable drives and peer-to-peer file sharing, and has been observed stealing sensitive information from an infected user.
Variants of Worm:Win32/Autorun usually spread using methods that include, but may not be limited to, copying themselves to removable or network drives, and placing an autorun.inf file in the root directory of each affected drive in an attempt to ensure that the worm is run when the removable drive is attached, or the network drive is visited from a remote system supporting the Autorun feature.
Top
Worm:Win32/Autorun.AEB is a worm that spreads via removable drives and peer-to-peer file sharing, and has been observed stealing sensitive information from an infected user.
Variants of Worm:Win32/Autorun usually spread using methods that include, but may not be limited to, copying themselves to removable or network drives, and placing an autorun.inf file in the root directory of each affected drive in an attempt to ensure that the worm is run when the removable drive is attached, or the network drive is visited from a remote system supporting the Autorun feature.
Installation
When executed, Worm:Win32/Autorun.AEB copies itself to <system folder>\lsas.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entry to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\windows\currentversion\run
Sets value: "winupdate"
With data: "<system folder>\lsas.exe"
Upon execution, the worm may also display the following fake error message:
Each time the user attempts to restart/reboot the infected computer, Worm:Win32/Autorun.AEB may display the following message:
Spreads via€¦
Removable drives
Worm:Win32/Autorun.AEB may create the following files on removable and network drives when spreading:
- <targeted drive>:\mirc.exe
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Peer-to-Peer file sharing
The worm may attempt to spread via Peer-to-Peer (P2P) file sharing by copying itself to the shared folders of particular P2P file sharing applications.
This malware also drops copies of itself as a file named "mirc.exe" into known file sharing application folders, namely:
- %programdir%\LimeWire\Shared\
- %programdir%\eDonkey2000\
- %programdir%\eMule\Incoming\
- %programdir%\Morpheus\My Shared Folder\
- %programdir%\Kazaa\My Shared Folder\
- %programdir%\ICQ\shared files\
- %programdir%\Ares\My Shared Folder\
It may also drop a copy of itself as the following:
%programdir%\Bearshare\Shared\kespersky Keys Generator.exee
Payload
Steals sensitive information
Worm:Win32/Autorun.AEB attempts to exploit the vulnerability described in CVE-2008-2747 to steal user names and passwords used for NO-IP - a managed DNS service client-tool; this behavior is further described in the following articles:
- http://xforce.iss.net/xforce/xfdb/43298
- http://www.securelist.com/en/advisories/30714
It attempts to steal the following information from an affected computer:
- Network passwords
- Stored browser passwords from:
- Internet Explorer
- Firefox
- Installed antivirus products
- Computer information such as product name, CSDVersion, and ProductID
Worm:Win32/Autorun.AEB attempts to read the keys and serial numbers from the following software, should it be installed on the affected computer:
- Advanced PDF Password Recovery
- Advanced ZIP Password Recovery
- Ashamopp WinOptimizer Platinum
- ashampoo burning studio
- Call of Duty
- Camtasia Studio
- Counter-Strike
- DvD Audio Extractor
- F-Secure BackWeb
- FIFA
- FarCry
- Half-Life
- Macromedia Dreamweaver
- Macromedia Fireworks
- Macromedia Flash
- mIRC
- Need for Speed Underground
- Nero
- Partition Magic
- Passware Encryption Analyzer
- PowerDvD
- PowerStrip
- Pro Evolution Soccer
- Rainbow Six III RavenShield
- Shogun Total War Warlord Edition
- Sniffer Pro
- Splinter Cell Pandora Tomorrow
- Stalker - Shadow of Chernobyl
- Steam
- Steganos Internet Anonym VPN
- Surpreme Commander
- TechSmith SnagIt
- TuneUp
- Unreal Tournament
- VMWare Workstation
- WinISO
- Winamp
- Windows Product Key
- World of Warcraft
- ZDSoftKey
- ZoneAlarm
In the wild, we have observed the worm performing the following actions for its malicious purposes:
- Logging keystrokes
- Capturing screen shots of the user's screen
- Monitoring all running applications
The captured screen shots may be saved under "c:\dir\". All other recorded information may be saved to the following log file:
c:\Windows\Systemp.txt
Disables security settings
The worm disables the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service by executing the following command:
net stop sharedaccess
Contacts remote host
Worm:Win32/Autorun.AEB may contact a remote host at hamada88.no-ip.biz using port 2185. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
In the wild, we have also seen the worm connecting to the following remote servers:
- 87.106.101.133
- amir066.no-ip.info
- musicfree.no-ip.info
- totodz.no-ip.info
- xsun30.dyndns.tv
- xsun3000.dyndns.tv
Analysis by Edgardo Diaz
Last update 11 February 2012