Home / malwarePDF  

Win32.Worm.AutoIt.AC


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.AutoIt.AC is also known as Worm:Win32/Autorun.FH;, Trojan.Win32.Autoit.ci.

Explanation :

This worm is an AutoIt compiled script that has a folder icon in order to trigger the user to run it. If run, it will perform the following actions:

- drop a file named svchost.exe in %System%28463 folder - this file is detected as Trojan.Keylog.Ardamax.NAL and will be used to log user's activity and send it to the malware author. The keystrokes will be logged in two files named svchost.001 and svchost.002 created in %System%28463 folder

- create the follwing three copies of itself:
%Windows%
egsvr.exe
%System%svchost .exe (hidden)
%System%
egsvr.exe (hidden)

and add/modify the following registry keys in order for the worm and the keylogger to be run at every system startup:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
Name: svchost Agent
Value: %System32%28463svchost.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: Msn Messenger
Value: %System%
egsvr.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon
Name: Shell
Value: Explorer.exe regsvr.exe

- delete all schduled tasks using the following command line:
cmd.exe /C AT /delete /yes
and then create its own sheduled task using the following command:
cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su %windows%svchost .exe
which will be used to run one of the copies of the malware.

- create a file named setup.ini in %System% folder in order to spread itself on removable drives

It will also modify the following registry keys:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools = 0x00000001 - disable registry tools

- try to download the following files on user's computer
http://www.yahoo.com/setting.doc
http://www.yahoo.com/setting.xls
http://yahoo.com/setting.doc
http://yahoo.com/setting.xls
(when this description was made the URLs weren't active anymore)

Last update 21 November 2011

 

TOP