Home / malware Win32.Worm.Autorun.QR
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Autorun.QR.
Explanation :
This worm may come inside a NSIS (Nullsoft Installer) file. When this file gets executed, it will first check the existence of the following registry key:
HKEY_LOCAL_MACHINESoftwareQucikWatch, and then it will drop and execute a file named QuickWatch.exe inside temp folder. This file will first create an autorun.inf file in the root of every accessible drive. The autorun.inf file contains several lines of randomly generated garbage ASCII characters, in order to make detection more difficult. Two text lines betray, however, its purpose:
Shellexecute="RECYLCERRandom-name.com drive-letter:"
shellOpencommand="RECYCLERRandom-name.com drive-letter:"
The random name will be of the form: S-3-0-68-100021457-100021691-100001035-4746.com, where each number seems to be randomly generated. Any time the infected drive is accesed, the worm gets executed as well, and it will attempt to replicate to other drives, including USB or network drives. It will also launch into execution msiexec.exe, make a copy of x:windowssystem32msi.dll in %temp% folder, patch it by replacing a short sequence of instructions, and, if ran manually, it will delete its own file.Last update 21 November 2011