Home / malware Worm:JS/Beutanni.A
First posted on 13 June 2013.
Source: MicrosoftAliases :
Worm:JS/Beutanni.A is also known as JS/Autorun (AhnLab), JS/Autorun.E (Avira), JS/AutoRun.NAI (ESET), JS/Autorun-CBD (Sophos), Trojan.JS.Autorun.A (BitDefender), Worm/AutoRun.AX (AVG), Virus.Worm.AutoRun (Ikarus), Worm.JS.AutoRun.w (Kaspersky), WORM_AUTORUN.IJF (Trend Micro).
Explanation :
Installation
When run, this worm drops the following copies of itself:
- %SystemDrive%\annie.ani
- <system folder>\drivers\annie.sys
It also drops the following shortcut files in the %SystemDrive% which all link back to the annie.anicopy of the worm:
- beautiful_girl_part_1.lnk
- beautiful_girl_part_2.lnk
- beautiful_girl_part_3.lnk
- beautiful_girl_part_4.lnk
- beautiful_girl_part_5.lnk
The purpose of these files is to lure you into opening them based on their file names. However, when opening the files, you will instead run the copy of the worm.
Spreads via...
File infection
The worm searches for all files on your computer with the extensions .DOC, .DOCX, and .RTF. It hides these files, and creates copies of itself using the original file's name and the extension .JSE.
The worm does this to trick you into opening copies of the worm, thinking they are actually legitimate Word documents.
For example, the worm finds a file called MyResume.DOCX. The worm creates a copy of itself with the file name MyResume.JSE in the same folder as the original .DOCX file, and then hides the original .DOCX file. You might go to open the file, thinking you are opening a Word document you created called MyResume; instead, you will open up a copy of the worm and cause it to run.
The worm also searches for files on your computer with the extensions .HTM and .HTML, and infects those files with its own code. When you go to open the file you will also cause the worm to run.
CDs
The worm drops the following files so that copies of itself will be included on any CDs you burn:
- %LOCALAPPDATA%\Microsoft\CD Burning\annie.ani - detected as Worm:JS/Beutanni.A
- %LOCALAPPDATA%\Microsoft\CD Burning\autorun.inf - detected as Worm:Win32/Beutanni.A!inf
Every time the infected CD is inserted into a computer that allows Autorun of CDs, the worm will run (see the Removable drives spreading behavior for a brief explanation of how Autorun works).
Removable drives
The worm creates a copy of itself in the root folder of all drives on your computer, including fixed drives (hard disks), removable drives (such as USB thumb drives), and network drives. The copy uses the file name annie.ani.
It also places an autorun.inf file in the root folder of the drives, detected as Worm:Win32/Beutanni.A!inf.
Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Modifies system settings
The worm makes a number of changes to the registry that are designed to lower the security of your system.
It disables the registry editor:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: DisableRegistryTools
With data: 0x00000001
It disables the task manager:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: DisableTaskMgr
With data: 0x00000001
It disables file type association in Windows Explorer (called "File Explorer" in some versions of Windows):
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: NoFileAssociate
With data: 0x00000001
It restricts the use of the Microsoft Management Console (MMC):
In subkey: HKCU\Software\Policies\Microsoft\MMC
Sets value: RestrictToPermittedSnapins
With data: 0x00000001
It disables System Restore:
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: DisableConfig
With data: 0x00000001
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Sets value: DisableSR
With data: 0x00000001
It prevents the display of hidden files in Windows Explorer (called "File Explorer" in some versions of Windows):
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: UncheckedValue
With data: 0x00000001
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Sets value: UncheckedValue
With data: 0x00000001
It also disables certain command-line utilities and analysis tools by making a number of changes to the registry.
It disables the "Kill Process" tool:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
Sets value: Debugger
With data: "cmd.exe /c rem"
It disables the "Attribute Utility" tool:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
Sets value: Debugger
With data: "cmd.exe /c rem"
It disables the "SysInternals Autostart Program Viewer" tool:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Sets value: Debugger
With data: "cmd.exe /c del /q /f"
It disables the "SysInternals Process Explorer" tool:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Sets value: Debugger
With data: "cmd.exe /c del /q /f"
It disables the "Registry Console Tool":
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe
Sets value: Debugger
With data: "cmd.exe /c rem"
The worm also disables the RegAlyzer tool created by SpyBot - Search & Destroy by modifying the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegAlyzer.exe
Sets value: Debugger
With data: "cmd.exe /c del /q /f"
Analysis by Gilou Tenebro
Last update 13 June 2013
