Home / malware

PDF

Trojan.AutoIt.TE

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.AutoIt.TE is also known as Win32/YahLover.BP, Worm:Win32/Nugel.Q, W32.Imaut, Worm.Win32.Sohanad.NCB.

Explanation :

Trojan.AutoIt.TE is an AutoIt compiled script with folder icon in order to get the user to execute it. It spreads via Yahoo Messenger, removable drives and network shares.

When executed it will perform the following actions:

Creates a copy of itself with attributes "read-only", "hidden" and "system" in:

%SystemDir%scvhost.exe%SystemDir%lastclnnn.exe%WinDir%scvhost.exe%WinDir%hinhem.scr

Modifies the following registry keys to run one of its copies at each Windows start:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell -> Explorer.exe scvhost.exeHKCUSoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger -> %SystemDir%scvhost.exe

Disables the Tools -> Folder Options menu item in Windows Explorer by setting the
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions registry key to 1. Thus the user cannot change the view hidden files and folders setting, to view the hidden copies of the trojan.

Disables Task Manager and Registry Editor by setting the following registry keys to 1:

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgrHKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools

Modifies the HKLMSystemCurrentControlSetServicesScheduleAtTaskMaxHours registry key to 0, to remove the default timeout period for scheduled tasks.Cancels all the scheduled tasks and creates a new scheduled task which will execute the copy created in %SystemDir%lastclnnn.exe every day at 09:00.

Creates the file %SystemDir%autorun.ini with the following content:
[Autorun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
ShellOpencommand=scvhost.exe
Shell=Open
The above mentioned file will be copied to removable devices or network shares and will execute the malware.

Downloads a file into %SystemDir%setting.ini from one of the following addresses:

http://set[removed].9999mb.com/setting.dochttp://set[removed].9999mb.com/setting.xlshttp://set[removed].yeahost.com/setting.dochttp://set[removed].yeahost.com/setting.xlshttp://www.free[removed]/setting3/setting.dochttp://www.free[removed]/setting3/setting.xls

The downloaded file contains an url and the name of 5 executables, which will be downloaded and executed. At the time of writing this, the url was offline.

%SystemDir%setting.ini also contains another url and some messages in vietnamese. The trojan will search for an opened Yahoo Messenger window and sends the url, a randomly choosen message from the downloaded ones and one of his copies to all persons from the user's contact list.

It reads the value of the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerSharesshared registry key to obtain the names of the shared drives. It then copies itself in the root of each shared drive as New Folder.exe. To be executed automatically when the network share is accessed will copy the %SystemDir%autorun.ini file as autorun.inf to each shared drive. It also will search for directories on shared drives and will copy itself into each directory as %DirectoryName%.exe.

It searches for running instances of the BKAVPro antivirus, kills the process and deletes the following registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBkavFw.

It will close the following windows if opened:

cmd.exemmc.exeSystem ConfigurationWindows TaskRegistry

If it will notice the presence of FireLion anti keylogger it will shut down the system.

Last update 21 November 2011

 

TOP