Home / malware Worm.AutoIt.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.AutoIt.B is also known as Trojan.Win32.Autoit.bs, Win32/Autoit.BO, Trojan:Win32/Malagent, Worm/Autoit.OJ.
Explanation :
This worm is an AutoIt compiled script that has a word document icon in order to trigger the user to run it.
If run, it will perform the following actions:
- creates the following copies of itself:
%SYSTEMDIRECTORY%MsRun32.exe
%WINDIR%MsRun32.exe
- add/modify the following registry keys:
[HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Shell" = Explorer.exe MsRun32.exe
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"MSN Messengger" = C:WINDOWSsystem32MsRun32.exe
-with these 2 entries adds itself to startup.
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools" = 1
"DisableTaskMgr" = 1
-disable registry tools and the task manager.
[HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NofolderOptions" = 1
-disable the access to Tools | Folder Options in Windows Explorer
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue" = 0
- Spreads via shared drives by checking the values within the following registry subkey:
[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares]
"shared" = True_Love.exe
Then copies itself in the root of the found shared drives with the name MsRun32 and copies autorun.ini too.
Then copies itself as True_Love.exe to the last entry.
- creates a file named autorun.ini in %SYSTEMDIRECTORY% in order to spread itself on removable drives too(with the name True_Love.exe)
- kills processes with the following name:
"System Configuration"
"Registry"
"Windows Task"
"cmd.exe"
- spreads over Yahoo Messengers with the following messages:
"see this comedy joke click on this link http://tinyurl.com/2[...]5"
"Ha ha ha click on link to laugh ... http://tinyurl.com/2[...]5"
"what a joke ...... http://tinyurl.com/2[...]5"
"nice one see this .... http://tinyurl.com/2[...]5"
"what a joke .....click to see http://tinyurl.com/2[...]5"
"what a joke ...... http://tinyurl.com/2[...]5"
"nice to listen .......... http://tinyurl.com/2[...]5"
"what is this ? ......see http://tinyurl.com/2[...]5"
"i am busy you click on a link and see ... http://tinyurl.com/2[...]5"
"what is this ? ......see http://tinyurl.com/2[...]5"Last update 21 November 2011
