Home / malware Win32.Worm.Autorun.SS
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Autorun.SS is also known as P2P-Worm.Win32.Palevo.jbk, W32/Autorun.worm.zzq.
Explanation :
This worm tries to spread through MSN and USB removable devices.
At first run, if the malware isn’t named “sysdate.exe”, it creates a directory in RECYCLER, with a name starting with “S-1-5-21” and then copies itself in it, with the name “sysdate.exe” and creates another file named “Desktop.ini” used to hide the .exe file. If it’s runned under the named “sysdate.exe”, it again uses the Desktop.ini file method to hide “sysdate.exe" from being seen in explorer.
After this, it creates a new entry in the registry at HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon named “Taskman” and set to the value of the path of “sysdate.exe”. Next it performs a code injection into the memory space of explorer.exe (the injected code assures that both ”sysdate.exe” and “Desktop.ini” are seen as read-only).
If a new flash drive is connected to an infected system, the malware will create a copy of itself to the inserted drive in a directory named “temp”, under the name “winsetup.exe” and will hide the “temp” directory from explorer by creating another Desktop.ini file. It will also create an autorun.ini file on the removable drive root, which will launch the malware, when the flash will be connected to a new system, spreading itself in this way.Last update 21 November 2011
