Home / malwarePDF  

Worm:Win32/Ainslot.A


First posted on 15 February 2019.
Source: Microsoft

Aliases :

Worm:Win32/Ainslot.A is also known as TROJ_GEN.UAE171Y, Trojan.Win32.Swisyn.aedl.

Explanation :

Installation

When run, Worm:Win32/Ainslot.A copies itself to %APPDATA%winlogon.exe.

It changes the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Winlogon"
With data: "%APPDATA%winlogon.exe"

In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Winlogon"
With data: "%APPDATA%winlogon.exe"

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
Sets value: "Winlogon"
With data: "%APPDATA%winlogon.exe"

In subkey: HKLMSoftwareMicrosoftActive setupInstalled components{27de4d5a-faae-4f1c-c1d6-df3177fcda6a}
Sets value: "StubPath"
With data: "%APPDATA%winlogon.exe"

It also creates this file in your PC as part of its installation routine:

%APPDATA% data.dat Spreads via...

Removable drives

Worm:Win32/Ainslot.A can create the following copies on removable drives, like USB flash drives:

:.exe :autorun.ini

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Changes system security settings

Worm:Win32/Ainslot.A adds itself to the list of applications that are authorized to access the Internet without being stopped by your firewall, by making the following registry change:

In subkey: HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
Sets value: "%APPDATA%winlogon.exe"
With data: "%APPDATA%winlogon.exe:*:enabled:windows messanger"

Contacts servers

Worm:Win32/Ainslot.A might contact a remote server at mem0rex.no-ip.info using port 6661. Commonly, malware do this to:

Report a new infection to its author Receive configuration or other data Download and run files (including updates or additional malware) Receive instruction from a hacker Upload data taken from your PC

This malware description was produced and published using our automated analysis system's examination of file SHA1 3a0875a40b7eeb2b3eb893cb029c434c7d44ce0d.

Last update 15 February 2019

 

TOP