Win32/AutoRun.Agent.TO [Threat Name] go to Threat

Win32/AutoRun.Agent.TO [Threat Variant Name]

Category worm
Size 99328 B
Detection created Nov 27, 2009
Detection database version 4643
Aliases -
  Trojan.Win32.Pincav.lmv (Kaspersky)
  Trojan:Win32/Coremhead (Microsoft)
  TR/Downloader.Gen (Avira)
Short description

Win32/AutoRun.Agent.TO is a worm that spreads via shared folders and removable media. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed the worm copies itself in the following locations:

  • %homedrive%\­RECYCLER\­LocalService\­saver.dll
  • %allusersprofile%\­Application Data\­WinNT\­WinNTSec.dll
  • %allusersprofile%\­Documents\­NatSec\­NatSec.dll

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "*NatSec" = "rundll32 "%allusersprofile%\­Documents\­NatSec\­NatSec.dll\­",triggerWarheaD"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "*NatSec" = "rundll32 "%allusersprofile%\­Documents\­NatSec\­NatSec.dll\­",triggerWarheaD"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­WinNTsec]
    • "DllName" = "%allusersprofile%\­Application Data\­WinNT\­WinNTSec.dll"
    • "Logon" = "ntevent"
    • "StartShell" = "ntevent"
    • "Startup" = "ntevent"
    • "StartScreenSaver" = "ntevent"
    • "StopScreenSaver" = "ntevent"
    • "Lock" = "ntevent"
    • "Unlock" = "ntevent"
    • "Logoff" = "ntevent"
    • "PostShell" = "ntevent"
    • "Reconnect" = "ntevent"
    • "Disconnect" = "ntevent"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­WinNTsec]
    • "DllName" = "%allusersprofile%\­Application Data\­WinNT\­WinNTSec.dll"
    • "Logon" = "ntevent"
    • "StartShell" = "ntevent"
    • "Startup" = "ntevent"
    • "StartScreenSaver" = "ntevent"
    • "StopScreenSaver" = "ntevent"
    • "Lock" = "ntevent"
    • "Unlock" = "ntevent"
    • "Logoff" = "ntevent"
    • "PostShell" = "ntevent"
    • "Reconnect" = "ntevent"
    • "Disconnect" = "ntevent"

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "MenuShowDelay" = 30
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 60
  • [HKEY_LOCAL_MACHINE\­CurrentControlSet\­Control\­Session Manager\­Memory Management]
    • "DisablePagingExecutive" = 1
    • "LargeSystemCache" = 1
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "SearchHidden" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 0
    • "DisableTaskmgr" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 0
    • "DisableTaskmgr" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe winntobj.vbs"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­SpecialAccounts\­UserList]
    • "natsec" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­lanmanserver\­Shares]
    • "natsec" = "CSCFlags=0 MaxUses=4294967295 Path=%drive%:\­Permissions=0 Remark="" Type=0"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­mnmsrvc.exe"=":*:Enabled:Retaliator"
    • "%system%\­tlntsrv.exe"=":*:Enabled:Telnet"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­mnmsrvc]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­TlntSvr]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­srservice]
    • "Start" = 0
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "ScreenSaveTimeOut" = 60
    • "ScreenSaverIsSecure" = 1
    • "SCRNSAVE.EXE"="%homedrive%\­RECYCLER\­LocalService\­saver.cmd"
    • "ScreenSaveActive" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
    • "Hidden" = 2
Spreading

Win32/AutoRun.Agent.TO is a worm that spreads via shared folders and removable media.


The worm may create copies of itself using the following filenames:

  • %removabledrive%\­NatSec.dll (Win32/AutoRun.Agent.TO)
  • %removabledrive%\­gameNS.EXE (Win32/AutoRun.Agent.TO)
  • %remotedrive%\­NatSec.dll (Win32/AutoRun.Agent.TO)
  • %remotedrive%\­gameNS.EXE (Win32/AutoRun.Agent.TO)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm creates the following files:

  • %homedrive%\­RECYCLER\­LocalService\­saver.cmd (69 B)
  • %windir%\­winntobj.vbs (1346 B)
  • %systemdrive%\­RECYCLER\­LocalService\­jaijeya.sed (905 B)
  • %systemdrive%\­RECYCLER\­LocalService\­jaijeya.exe
  • %malwarepath%\­packQCP.lnk

The worm may create and run a new thread with its own program code within any running process.


If the worm worm finds a window of a running process which contains any of the following strings in its title:

  • Windows Task Manager

the worm worm changes the window title to:

  • Jaijeya
  • %username% ji
  • Hor Theek-Thaak Hainn Na?
  • %computername% tuhaadi seva bich haazir hai.
  • Tusaan bas huqm deya.

The worm creates the following files:

  • %allusersprofile%\­Documents\­NatSec\­winntsp.vbs (VBS/Agent.NCF, VBS/Agent.NFV)

The worm uses Microsoft Speech technology.


It may play the following text in a spoken voice:

  • Jaijeya.
  • Tusaan sunhaa kyaa haal hae tuhaada?
  • Main sirf; machine nahi hae! Mae tuhaade parivaare, daa hissa hae.
  • Tusaan Kya karaade hainn? Minjo sabb pataa hai!
  • Main Pahaari bolli sakda hae, tai gaaddee muhnj bhi kannhai sakda hae.
  • Tusaan baarhae khaare maahnu hainn.
  • Majenae kamm karaa, main kuthu nahtthna hae laggeya.
  • Main tamm tarelly gullaan kardaa hai.
  • Main bhee taan maahnhu hai.
  • Aah! Holae holae kamm kara.
  • Thodi hawaa, taan auna, deyaa.
  • Main keehaan tuhaadi madad kari sekda hai?
  • Buriyaan aadtaan chhaddi deyaa.
  • Tusaan Huuqm karaa; main sai kaamm karree daena.
  • Ggharrae aahlae kkutaanh hainn gaeo?
  • Tusaan barae kharae maahnu hainn.
  • Ajj koee noyaa kamm karaa.
  • Hor soonna, budde chottae sabb theek hainn naa?
  • Dunggar Bachchhu subb theek hainn?
  • Arhaeo, koottae billae meenjo te duur rakha.
  • Ha ae bo mummy jee, aeh minjo maara dae hainn.
  • Deekha na? Ajkal eekko he kamm pukdee laeya hae eenaah.
  • Gundiyaa-Fundeea galaa nee karneea.
  • aayae haae, aeh kasaehri butt rhee hai?
  • main koyee kudee thodee nee hai, main taan moondu ae..
  • hoer jee. meriyaan gullaan kadeheeyaan hainn jee? Je theek nee hainn taan, Start menu, kaanhe ffeeri Run dubba. Par jaijeya salaam schhalaayee rakhneyo.
  • akkarrh bukkarrh baumbae bo. ussee nabbe poorae sao. Sao ka lot ta teettar mot ta. Schall madaar ee paisa khot ta. Khot te dee khatt teyaayee aayee. Bhaah bo rondee rondee aayee. Ohd daa mar ggaeya javaayee. Kunnee cheetthee bhee nee paayee.
  • galhiaan mut deya kara. Buri gall hondi hai.
  • Parhaa kara, taan he gall bananhee hai.
  • Themaaq lagaa kahraah; themaaq.
  • Koi kudee kadee nee ddikkhee?
  • Sinjhaa bhyagaa bus khadaa chche mat badee rehaa karaah; Hor kuthee pahaarhiaa pahurhiyaa lagee geya taan muusqal hoyee jaanhee.
  • Byaah-Byuh kit teya hai kih, schharhe malang he hainn.
  • Tuhaarh kamm kya hai computerae par. Eehaan he tandhelgiri karaa de hainn.
  • Kunju-chainchelo dee kaahnhee soonaa, minjo bhee.
  • Ajj schattraarhee hoe o o o, kall rakha dera, hai pyaarua.
  • uschhee uschhee rirheeyaan puttharu je chumakae, khuddaa bichh chammkeya paanhee. Main taan teejo puchhdee pa reet kee yaan laanhee ho o oh.
  • Neeru chaalli gghoomm a dee, ghoomm adee ee, chaalee bo seem lae bajaarae e neeru chaalee gghoommdee.
  • Luchhee-luchhee lok galaand ae a, kee luchhee meraa naam sajjnhaa. Ikk mera dharumm ae the bhaayee ee ee, tha the oojja mae rree jaann sajjnha ah.
  • Dhhu rhoo nachha daa ah, jatta aan wo o o oh khalaaree ee kae e e. Nachh mer ae dhu rhooaa ah, jatt aan bo o oh khalaaree ee kae e e.
  • Paanhee ree ee ta aanchhee ee ho o oh, neelimaa ah barhee ee baa ah nkee ho o oh.
  • Issaa ah garaan ye en dae yah lumba ra ah ho o inha ah schhohru aan jo lai sumjhaaee, keeh butta ah jaandae seet ih maar a dae e eh ho o oh.
  • Uss ah aan taan kussee ee jo oh mundda ah nee ee bollnha ah, chandae eh dee ee chann ah nhee ee chandae eh kannae eh. Bud daeyaan ghar ah aan de ee yaan byaahee karee lyon de ee yaan, hath n ee laand ee ee yaan kamm eh kannae eh.
  • Khung gay aan n ae pung gay lainhae taan cup rhae futt dae eh.
  • Ghuna ahkarhee, kirlee ee, kanne eh schhippkallee yaa ah n tae main na hee ee dar the ah hai.
  • Tooss ah aan barhae schhaill a hainn. Main ith nha ah schhailh nahee ee hai.
  • Main taa aan ikk, Junglee ee ma ah nhu eh.
  • Shobh lee schhore eeyaan, Minjo schail lugg the iyaan hainn.
  • Koee gaanha goo nha he sunaa ee the ae yah?
  • Main tuhaada comppooter bollada hai.

The worm adds the user "natsec" to the following groups:

  • Administrators

The worm may execute the following commands:

  • %systemroot%\­system32\­iexpress.exe /Q /M /N

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address. The HTTP protocol is used.


The worm may perform various types of attack on remote machines.

Please enable Javascript to ensure correct displaying of this content and refresh this page.