This worm spreads via MSN Messenger. When installed it sends the following message to contact list recipients and send a zip file named img1756.zip.
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
* Security Center
* winvnc4
Adds the following values to the registry:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
Overview -W32/Autorun.worm.n infects available drives and download additional malware to further infect the system.
Characteristics -
W32/Autorun.worm.n adds the following registry key to run its own executable when a certain list of programs is called:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%APP%\Debugger
%ADD% is a list of the following applications:
* 360rpt.exe
* 360Safe.exe
* 360tray.exe
* adam.exe
* AgentSvr.exe
* AppSvc32.exe
* autoruns.exe
* avgrssvc.exe
* AvMonitor.exe
* avp.com
* avp.exe
* CCenter.exe
* ccSvcHst.exe
* FileDsty.exe
* FTCleanerShell.exe
* HijackThis.exe
* IceSword.exe
* iparmo.exe
* Iparmor.exe
* isPwdSvc.exe
* kabaload.exe
* KaScrScn.SCR
* KASMain.exe
* KASTask.exe
* KAV32.exe
* KAVDX.exe
* KAVPFW.exe
* KAVSetup.exe
* KAVStart.exe
* KISLnchr.exe
* KMailMon.exe
* KMFilter.exe
* KPFW32.exe
* KPFW32X.exe
* KPFWSvc.exe
* KRegEx.exe
* KRepair.COM
* KsLoader.exe
* KVCenter.kxp
* KvDetect.exe
* KvfwMcl.exe
* KVMonXP.kxp
* KVMonXP_1.kxp
* kvol.exe
* kvolself.exe
* KvReport.kxp
* KVSrvXP.exe
* KVStub.kxp
* kvupload.exe
* kvwsc.exe
* KvXP.kxp
* KWatch.exe
* KWatch9x.exe
* KWatchX.exe
* loaddll.exe
* MagicSet.exe
* mcconsol.exe
* mmqczj.exe
* mmsk.exe
* NAVSetup.exe
* nod32krn.exe
* nod32kui.exe
* PFW.exe
* PFWLiveUpdate.exe
* QHSET.exe
* Ras.exe
* Rav.exe
* RavMon.exe
* RavMonD.exe
* RavStub.exe
* RavTask.exe
* RegClean.exe
* rfwcfg.exe
* RfwMain.exe
* rfwProxy.exe
* rfwsrv.exe
* RsAgent.exe
* Rsaupd.exe
* runiep.exe
* safelive.exe
* scan32.exe
* shcfg32.exe
* SmartUp.exe
* SREng.exe
* symlcsvc.exe
* SysSafe.exe
* TrojanDetector.exe
* Trojanwall.exe
* TrojDie.kxp
* UIHost.exe
* UmxAgent.exe
* UmxAttachment.exe
* UmxCfg.exe
* UmxFwHlp.exe
* UmxPol.exe
* UpLive.EXE
* WoptiClean.exe
* zxsweep.exe
The following files are added:
* %SYSTEMDIR%\1.inf
* %SYSTEMDIR%\forget.dll
* %SYSTEMDIR%\snowfall.exe
* %DRIVE%\autorun.inf
* %DRIVE%\snow.exe
W32/Autorun.worm.n will execute the following command to disable the Windows Firewall:
* cmd.exe /c net stop sharedaccess
It will start %SYSTEMDIR%\spoolsv.exe and inject forget.dll into this process. This will cause spoolsv.exe to attempt to access the network to download the following files:
* http://aa.tygzs.cn/[removed]/qcb.exe
* http://aa.tygzs.cn/[removed]/hs.exe
* http://aa.tygzs.cn/[removed]/26.exe
At the point of writing, the domain and files are not available.
(where %SYSTEMDIR% is the Windows system directory e.g. C:\WINDOWS\system32, %DRIVE% is the drive letter e.g C:)
Symptoms
Symptoms -
* Presence of previously mentioned files.
* Presence of previously mentioned registry keys.
* Presence of unexpected network connections to previously mentioned URLs.
Method of Infection
Method of Infection -
W32/Autorun.worm.n infects any available drives by placing itself and an autorun.inf file on the drive.
Removal -
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
