Home / malware Trojan.AutoIt.TD
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.AutoIt.TD is also known as Worm:Win32/Sohonad, W32/YahLover.worm.gen, W32.Imaut.N.
Explanation :
Trojan.AutoIt.TD is an AutoIt compiled script, which has a folder icon in order to trigger the user to execute it. Upon execution it will perform the following malicious actions:
- creates the following two copies of itself:
C:WindowsRVHOST.exe - with folder icon
C:Windowssystem32RVHOST.exe - hidden file
- adds the following registry keys in order to be run at every system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Name: Yahoo Messengger
Value: C:Windowssystem32RVHOST.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogon
Name: Shell
Value: Explorer.exe RVHOST.exe
- spreads via Yahoo! Messenger by sending messages triggering users to click on the link http://nhattroun[removed].0catch.com
- deletes all schduled tasks using the following command line:
cmd.exe /C AT /delete /yes
and then creates its own sheduled task using the following command:
cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su C:Windowssystem32RVHOST.exe
which will be used to run one of the copy of the malware every day at 9 am.
- tries to download the following files on user's computer
http://nhatquan[removed].0catch.com/setting.nql
http://nhatquan[removed].0catch.com/setting.xls
http://www.freewebs.com/nhattroun[removed]/setting.nql
http://www.freewebs.com/nhattroun[removed]/setting.xls
- copies itself on all removable devices connected to the infected computer under the name NewFolder.exe
- copies itself as a shared resource on the network and adds the following registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares
Name: shared
Value: NewFolder.exe
- modifies the following registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
DisableRegistryTools = 0x00000001 - disable registry tools
DisableTaskMgr = 0x00000001 - disable task managerLast update 21 November 2011
