Home / malwarePDF  

Worm:Win32/Autorun.XV


First posted on 01 June 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Autorun.XV is also known as TR/Proxy.JF (Avira), Troj/Proxy-JF (Sophos), Trojan.Win32.AutoIt.gen.1 (Sunbelt Software).

Explanation :

Worm:Win32/Autorun.XV is a worm that drops multiple copies of itself in the computer. Some of its copies are dropped in removable drives; on computers that have Autorun enabled, the worm copies are automatically run every time the drive is accessed. Some of its copies are dropped in shared folders of peer-to-peer (P2P) programs; on computers that have running P2P programs, this causes the worm to be downloaded by other remote users.
Top

Worm:Win32/Autorun.XV is a worm that drops multiple copies of itself in the computer. Some of its copies are dropped in removable drives; on computers that have Autorun enabled, the worm copies are automatically run every time the drive is accessed. Some of its copies are dropped in shared folders of peer-to-peer (P2P) programs; on computers that have running P2P programs, this causes the worm to be downloaded by other remote users. Installation Upon execution, Worm:Win32/Autorun.XV drops the following copies of itself: Under <system folder>: 587.dll .exe ominiu.exe 25.dll .exe Under %USERPROFILE%: ominiu.exe Under %ProgramFiles%\Internet Explorer\mui: bcv.exe Under %ProgramFiles%\Common Files\System: ret.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Worm:Win32/Autorun.XV creates the following registry entry so that one of its copies automatically runs every time Windows starts: Adds value: "WinRegisterDLL" With data: "<system folder>\587.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also drops the following files, which are also detected as Worm:Win32/Autorun.XV: %Temp%\aute.tmp %Temp%\autf.tmp <system folder>\svchosts32.exe %ProgramFiles%\Common Files\System\svchosts32.exe Worm:Win32/Autorun.XV then executes the following copies: bcv.exe ominiu.exe ret.exe svchosts32.exe The files "ominiu.exe" and "ret.exe" may do the following:

  • Drop two copies of itself as the following:
  • <system folder>\<3 digits>.dll .exe (for example, "798.dll .exe") <system folder>\<3 digits>.dll .exe (for example, "679.dll .exe")
  • Modify the following registry entry to load itself at startup:
  • Adds value: "WinRegisterDLL" With data: "<system folder>\<3 digits>.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run The file "bcv.exe" may do the following:
  • Drop two copies of itself as the following:
  • <system folder>\<2 digits>.dll .exe <system folder>\<3 digits>.dll .exe
  • Modify the following registry entry to load itself at startup:
  • Adds value: "WinRegisterDLL" With data: "<system folder>\<2 digits>.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Spreads via... Removable drives Worm:Win32/Autorun.XV drops the following copies of itself:
  • Under C: and all removable drives:
  • ominiu.exe windriveexplorer.exe
  • Under C: and D: and all removable drives, %windir%, and C:\shared:
  • mypasswords.txt .exe cod4_setup.exe 52038.exe It also drops the file "autorun.inf" in C: and all removable drives. This INF file is designed to automatically run a worm copy when the drive is accessed and Autorun is enabled on the computer. Peer-to-peer programs Worm:Win32/Autorun.XV drops the following copies of itself:
  • bf2.exe
  • wow+keygen.exe
  • botnetadmin.exe
  • sex411.txt .exe
  • under the following folders, if the P2P program (Kazaa, KMD, Morpheus, Grokster, or Edonkey) is installed in the computer:
  • %ProgramFiles%\kazaa lite\my shared folder
  • %ProgramFiles%\kmd\my shared folder
  • %ProgramFiles%\morpheus\my shared folder
  • %ProgramFiles%\grokster\my grokster
  • %ProgramFiles%\edonkey2000\incoming
  • If the P2P program is used, the worm copies are shared to and may be downloaded by other remote users.

    Analysis by Andrei Florin Saygo

    Last update 01 June 2010

     

    TOP