Win32/AutoRun.Remtasu [Threat Name] go to Threat
Win32/AutoRun.Remtasu.E [Threat Variant Name]
| Category | worm |
| Size | 303104 B |
| Signature database version | 7033 (Apr 06, 2012) |
| Aliases | VirTool:Win32/VBInject.gen!DZ (Microsoft) |
| TR/VB.Inject.DZ.182 (Avira) |
Short description
Win32/AutoRun.Remtasu.E is a worm that spreads via removable media. The file is run-time compressed using MoleBox .
Installation
When executed, the worm copies itself into the following location:
- %windir%\InstallDir\winlogon.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "HKLM" = "%windir%\InstallDir\winlogon.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "HKCU" = "%windir%\InstallDir\winlogon.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{RF0L03U3-554A-82J2-6K04-7TN6K68INIU3}]
- "StubPath" = "%windir%\InstallDir\winlogon.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\XtremeRAT]
- "Mutex" = "7tcUEuE4AcL"
- [HKEY_CURRENT_USER\Software\Server]
- "ServerStarted" = "%variable%"
- [HKEY_CURRENT_USER\Software\7tcUEuE4AcL]
- "ServerName" = "%windir%\InstallDir\winlogon.exe"
The following Registry entry is deleted:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{RF0L03U3-554A-82J2-6K04-7TN6K68INIU3}]
A string with variable content is used instead of %variable% .
The worm launches the following processes:
- svchost.exe
- %malwarefilepath%
The worm creates and runs a new thread with its own code within these running processes.
Spreading on removable media
Win32/AutoRun.Remtasu.E is a worm that spreads via removable media.
The worm copies itself to the following location:
- %removabledrive%\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\winlogon.exe
The worm creates the following files:
- %removabledrive%\Autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
Win32/AutoRun.Remtasu.E is a worm that steals sensitive information.
It can execute the following operations:
- steal information from the Windows clipboard
- log keystrokes
The collected information is stored in the following file:
- %appdata%\7tcUEuE4AcL.dat
The worm attempts to send gathered information to a remote machine. The FTP protocol is used.
Other information
The worm contains a list of (3) URLs.
It tries to download a file from the addresses. The HTTP protocol is used.
The file is stored in the following location:
- %appdata%\7tcUEuE4AcL.xtr
The file is executed as a new thread in the %windir%\InstallDir\winlogon.exe process.
The worm may create the following files:
- %appdata%\7tcUEuE4AcL.cfg