Win32/AutoRun.Remtasu [Threat Name] go to Threat

Win32/AutoRun.Remtasu.E [Threat Variant Name]

Category worm
Size 303104 B
Detection created Apr 06, 2012
Signature database version 7033
Aliases VirTool:Win32/VBInject.gen!DZ (Microsoft)
  TR/VB.Inject.DZ.182 (Avira)
Short description

Win32/AutoRun.Remtasu.E is a worm that spreads via removable media. The file is run-time compressed using MoleBox .

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­InstallDir\­winlogon.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKLM" = "%windir%\­InstallDir\­winlogon.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HKCU" = "%windir%\­InstallDir\­winlogon.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{RF0L03U3-554A-82J2-6K04-7TN6K68INIU3}]
    • "StubPath" = "%windir%\­InstallDir\­winlogon.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­XtremeRAT]
    • "Mutex" = "7tcUEuE4AcL"
  • [HKEY_CURRENT_USER\­Software\­Server]
    • "ServerStarted" = "%variable%"
  • [HKEY_CURRENT_USER\­Software\­7tcUEuE4AcL]
    • "ServerName" = "%windir%\­InstallDir\­winlogon.exe"

The following Registry entry is deleted:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{RF0L03U3-554A-82J2-6K04-7TN6K68INIU3}]

A string with variable content is used instead of %variable% .


The worm launches the following processes:

  • svchost.exe
  • %malwarefilepath%

The worm creates and runs a new thread with its own code within these running processes.

Spreading on removable media

Win32/AutoRun.Remtasu.E is a worm that spreads via removable media.


The worm copies itself to the following location:

  • %removabledrive%\­RECYCLER\­S-1-5-21-1482476501-3352491937-682996330-1013\­winlogon.exe

The worm creates the following files:

  • %removabledrive%\­Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/AutoRun.Remtasu.E is a worm that steals sensitive information.


It can execute the following operations:

  • steal information from the Windows clipboard
  • log keystrokes

The collected information is stored in the following file:

  • %appdata%\­7tcUEuE4AcL.dat

The worm attempts to send gathered information to a remote machine. The FTP protocol is used.

Other information

The worm contains a list of (3) URLs.


It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %appdata%\­7tcUEuE4AcL.xtr

The file is executed as a new thread in the %windir%\InstallDir\winlogon.exe process.


The worm may create the following files:

  • %appdata%\­7tcUEuE4AcL.cfg

Please enable Javascript to ensure correct displaying of this content and refresh this page.