Home / malwarePDF  

Win32.Worm.Autorun.UB


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Autorun.UB is also known as Worm.Win32.AutoRun.aqpt, Worm:Win32/Emold.U.

Explanation :

Upon execution this worm will make a copy of itself at "C:Windowssystem32logon.exe".
It will modify the following registry key "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell" with the value "Explorer.exe logon.exe"
which will execute the malware at every user's logon.

The worm will inject malicious code into the memory space of "svchost.exe" and "explorer.exe" processes, after which it will terminate its process in order to hide its presence.

From the memory space of "svchost.exe" process it will perform the following malicious actions:
- replaces one driver from "C:Windowssystem32DRIVERS" (for example asyncmac.sys) with a malicious driver which can collect various system information and can hook a set of important Windows API functions.
- starts a service for the malicious driver and then hides his traces by replacing the file on the disk with the original clean driver.
- sends to the address "http://myblogs.[removed]/news" the Windows Product ID of the infected machine
- it will spread itself on removable drives by copying itself as "autorun.exe" and creating an "autorun.inf" file which will contain the following commands in order to automatically run the worm on the machine to which the removable drive is connected:
open=autorun.exe
shellexecute=autorun.exe
shellExplorecommand=autorun.exe
shellOpencommand=autorun.exe
shell=Explore

From the memory space of "explorer.exe" process the worm will delete itself in order to clean its traces.

Last update 21 November 2011

 

TOP