Home / malware Worm:Win32/Abfewsm.A
First posted on 27 April 2019.
Source: MicrosoftAliases :
Worm:Win32/Abfewsm.A is also known as Win32/SillyAutorun.AJH, Trojan-Dropper.Win32.Autoit.y, AutoIt.BT, W32/Autoit-EA, Trojan.DR.Autoit.WG, Win32/AutoRun.Autoit.AH, W32/Autorun.worm.h, W32/Sohanat.IW.
Explanation :
Worm:Win32/Abfewsm.A is a worm that spreads by placing copies of itself in the folder used for files to be written into CDs. It is capable of modifying a variety of system services as well as disabling Control Panel and registry editors. It may also modify some firewall settings. InstallationWorm:Win32/Abfewsm.A arrives in the system as a file that uses the Windows Explorer icon. It also creates a shortcut with no icon that points to itself:
.LNK Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%Start MenuProgramsStartup'. For Windows Vista, the default location is '%USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup'.
Worm:Win32/Abfewsm.A creates compressed file copies of itself in the Windows folder using the following names: CyberWar.cab
fh_antivirussetup6534.cab
kavSetupEng3857.cab
mario675.cab
New WinRAR archive.cab
New WinRAR ZIP archive.cab
New WinZip File.cab
new-screamsaver.com.cab
supermodels.cab
Youtube.cab It also copies itself to the following locations: %windir%KHATARNAKH.exe
%windir%Xplorer.exe
%systemroot%KHATRA.exe
%windir%systemgHost.exe
KHATRA.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It also creates the following files containing settings it uses: %windir%K.BackupC_Drive_Documents and Settings_Administrator_Start Menu_Programs_Startup_desktop.ini.FUCKED
%windir%K.BackupC_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_desktop.ini.FUCKED
%windir%K.BackupC_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_whoami.lnk.FUCKED Worm:Win32/Abfewsm.A creates the following registry entries to allow its copy to automatically run every time Windows starts: Adds value: "PHIME2002A"
With data: "KHATRA.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Adds value: "PHIME2002ASync"
With data: "%windir%Xplorer.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Adds value: "load"
With data: "KHATRA.exe"
To subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows It also creates the following registry key, which contains its settings: HKLMSOFTWAREKHATRA Worm:Win32/Abfewsm.A also creates a job that runs itself every day at 09:00 by running the following commands in succession: "AT /delete /yes" - deletes all previously scheduled jobs"AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:WINDOWSsystem32KHATRA.exe" - creates a scheduled task to run its copy It then adds the following registry entry so that its scheduled job recurs indefinitely: Adds value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLMSYSTEMCurrentControlSetServicesScheduleSpreads via…Compact discsWorm:Win32/Abfewsm.A copies itself as the following files to ensure that they are included when a CD is written to: %AppData%MicrosoftCD BurningAdministrator.exe
%AppData%MicrosoftCD BurningKHATRA.exe
%AppData%MicrosoftCD BurningNew Folder(3).exe - copied as a hidden file
%AppData%MicrosoftCD Burningautorun.inf - initialization file that ensures that 'KHATRA.exe' is automatically executed when the CD is accessed and Autorun is enabled As such, when a CD is written with the affected computer and then run from another computer, the worm copy automatically runs and infects that system.PayloadModifies system servicesWorm:Win32/Abfewsm.A sets the following services to run automatically: Remote Desktop Sharing service
Removable Storage service
Remote Desktop Help Session Manager
Terminal Server service
Telnet Server service
UPnP device hosting It does this by modifying the system registry, respectively: Adds value: "Start"
With data: "2"
To subkeys:
HKLMSYSTEMControlSet001Servicesmnmsrvc
HKLMSYSTEMControlSet001ServicesNtmsSvc
HKLMSYSTEMControlSet001ServicesRDSessMgr
HKLMSYSTEMControlSet001ServicesTermService
HKLMSYSTEMControlSet001ServicesTlntSvr
HKLMSYSTEMControlSet001Servicesupnphost Worm:Win32/Abfewsm.A disables the following services: Protected Storage service
Windows Security Center service It does this by modifying the system registry, respectively: Adds value: "Start"
With data: "4"
To subkeys:
HKLMSYSTEMControlSet001ServicesProtectedStorage
HKLMSYSTEMControlSet001Serviceswscsvc It also sets the Schedule service to run manually: Adds value: "Start"
With data: "3"
To subkey: HKLMSYSTEMControlSet001ServicesSchedule Changes system firewall policyWorm:Win32/Abfewsm.A modifies the following registry entry, which prevents the system firewall from working: Modifies value: "Epoch"
From data: "6A, 60, 00, 00"
To data: "6B, 60, 00, 00"
In subkey: HKLMSYSTEMControlSet001ServicesSharedAccessEpoch It also modifies the firewall policy so that its copy is tagged as an authorized application and able to pass through the firewall: Adds value: "KHATRA.exe"
With data: "KHATRA.exe:*:Enabled:System"
To subkey: HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList Modifies system settingsWorm:Win32/Abfewsm.A disables the option in Windows Explorer to show all files: Adds value: "CheckedValue"
With data: "0"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL It also enables certain files to be tagged as 'hidden': Adds value: "Hidden"
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Worm:Win32/Abfewsm.A also disables the Control Panel and the registry editor tools by modifying the following registry entries: Modifies value: "NoControlPanel"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Modifies value: "DisableRegistryTools"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem Modifies Internet Explorer settingsWorm:Win32/Abfewsm.A changes the window title for Internet Explorer to "Internet Exploiter". Analysis by Jaime WongLast update 27 April 2019