Home / malware Worm:Win32/Htpic.A
First posted on 31 July 2012.
Source: MicrosoftAliases :
Worm:Win32/Htpic.A is also known as Trojan.KillProc.11646 (Dr.Web), Trojan.Win32.Sulunch (Ikarus), TROJ_HTPIC.B (Trend Micro).
Explanation :
Worm:Win32/Htpic.A is a worm that spreads via removable drives. It disables LUA (Least Privileged User Account), which leads to a lowering of your computer's security.
Installation
When run, Worm:Win32/Htpic.A copies itself as the file "%ProgramFiles%\Java\jre6\bin\bin\java.exe".
To make sure it runs every time Windows starts, it also creates the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "JavaUpdate"
With data: "%ProgramFiles%\Java\jre6\bin\bin\java.exe"
Spreads via...
Removable drives
Worm:Win32/Cridex.G may drop a copy of itself to removable drives as a randomly named executable. It also creates an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm copy is launched automatically.
Payload
Changes Windows settings
Worm:Win32/Htpic.A may disable the User Account Control (UAC) prompt by changing the following registry entry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "ConsentPromptBehaviorAdmin"
With data: "0"
The default setting for this value is 2. Although this worm may disable displaying the UAC prompt, the Windows Security Center may still warn the user that UAC is turned off.
Worm:Win32/Htpic.A also disables LUA (Least Privileged User Account), also known as the "administrator in Admin Approval Mode" user type, by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: EnableLUA
With data: "dword:00000000"
Analysis by Edgardo Diaz
Last update 31 July 2012
