Home / malwarePDF  

Worm:Win32/Autorun.LU


First posted on 19 May 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Autorun.LU is also known as Also Known As:W32/AutoRun-AGE (Sophos), :W32/IRCBot.CNC (Panda), W32.IRCBot (Symantec).

Explanation :

Worm:Win32/Autorun.LU is a worm that spreads to all writeable logical drives. It has backdoor functionalities by connecting to a remote IRC server and performing actions as commanded by a remote attacker.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    C:datasystemxp.exe
  • The presence of the following registry modifications:
    Added value: "StubPath"
    With data: "C:datasystemxp.exe"
    To subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-00WE-AAX5-74KC2A323342}


    • Worm:Win32/Autorun.LU is a worm that spreads to all writeable logical drives. It has backdoor functionalities by connecting to a remote IRC server and performing actions as commanded by a remote attacker.

    Installation
    When run, Worm:Win32/Autorun.LU creates a copy of itself in the system as:
    C:datasystemxp.exe It also creates a registry entry that allows its copy to automatically run every time Windows starts: Adds value: "StubPath"
    With data: "C:datasystemxp.exe"
    To subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components{67KLN5J0-4OPM-00WE-AAX5-74KC2A323342} It also creates the mutex "I0L0v3Y0u0V1rUs" to ensure that only one copy of this worm resides in memory. It also injects its code into explorer.exe to avoid detection, as this action makes it appear as if all action is being done by the explorer.exe process.Spreads Via...Logical DrivesWorm:Win32/Autorun.LU spreads by creating a copy of itself in all writeable drives as the following:<Drive>datasystemxp.exe where <Drive> is D:, E:, and so on. It also creates the file autorun.inf in the root of each writeable drive, which points to the xp.exe file in that drive. This ensures that when the drive is accessed and AutoRun is enabled, the worm copy is automatically run.

    Payload
    Perform Backdoor FunctionalitiesWorm:Win32/Autorun.LU is capable of performing backdoor functionalities by connecting to the IRC server X.helldark.biz using TCP port 5900 to wait for commands from a remote attacker.

    Analysis by Patrik Vicol

    Last update 19 May 2009

     

    TOP

    Malware :

    Family: