Win32/Autoit.EB [Threat Name] go to Threat

Win32/Autoit.EB [Threat Variant Name]

Category worm
Size 265927 B
Detection created Sep 29, 2008
Detection database version 10181
Aliases Worm.Win32.AutoIt.dn (Kaspersky)
  W32/YahLover.worm.gen.virus (McAfee)
  Worm:Win32/Autorun.MBS (Microsoft)
  W32.SillyDC (Symantec)
Short description

Win32/Autoit.EB is a worm that spreads via shared folders and removable media. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself in some of the the following locations:

  • %desktop%\­gphone.exe
  • %temp%\­gphone.exe
  • %system%\­gphone.exe
  • %windir%\­gphone.exe

The worm creates the following files:

  • %malwarefolder%\­autorun.ini

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe gphone.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Yahoo Messengger" = "%malwarefolder%\­gphone.exe"

The worm changes the home page of the following web browsers:

  • Internet Explorer

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NofolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Default_Page_URL" = "http://rnd009.googlepages.com/google.html"
    • "Default_Search_URL" = "http://rnd009.googlepages.com/google.html"
    • "Search Page" = "http://rnd009.googlepages.com/google.html"
    • "Start Page" = "http://rnd009.googlepages.com/google.html"
  • [HKEY_LOCAL_MACHINE\­Software\­Policies\­Microsoft\­Internet Explorer\­Control Panel]
    • "HomePage" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://rnd009.googlepages.com/google.html"
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Internet Explorer\­Control Panel]
    • "HomePage" = 1

The worm schedules a task that causes the following file to be executed repeatedly:

  • %malwarefolder%\­gphone.exe
Spreading

The worm copies itself into the root folders of all drives using the following names:

  • gphone.exe
  • New Folder.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


It avoids drives which contain any of the following folders:

  • %system%

The worm also searches for folders on local drives.


When the worm finds a folder matching the search criteria, it creates a new copy of itself.


The name of the file may be based on the name of an existing file or folder.


The extension of the file is ".exe" .

Spreading via shared folders

The worm tries to copy itself to the available shared network folders.


The following names are used:

  • gphone.exe
  • New Folder.exe

The name of the file may be based on the name of an existing file or folder.


The extension of the file is ".exe" .


The following file is dropped in the same folder:

  • autorun.inf
Spreading via IM networks

The worm sends links to Yahoo! Messenger, Google Talk users.


The message depends entirely on data the worm downloads from the Internet.


The messages may contain any of the following texts:

  • View my webcam (private) %malwareurl%
  • Now search your google in a HYBRID\­DYNAMIC way %malwareurl%
  • View my webcam (private) %malwareurl%
  • Hey what are you doing Please test my new webcam using private application
  • View my webcam (private) %malwareurl%
  • The wisest mind has something yet to learn %malwareurl%
  • View my webcam (private) %malwareurl%
  • Hey Please help me to test my new cam application
  • View my webcam (private) %malwareurl%
  • Happiness is a choice that requires effort at times %malwareurl%
  • View my webcam (private) %malwareurl%
  • Waiting for you, view my private cam via secured connection
  • View my webcam (private) %malwareurl%
  • Happiness is not a destination. It is a method of life %malwareurl%
  • View my webcam (private) %malwareurl%
  • View my private cam via secured connection
  • View my webcam (private) %malwareurl%
  • If you want truly to understand something, try to change it %malwareurl%
  • View my webcam (private) %malwareurl%
  • View my webcam (private secured connection using privateCam)

The URL points to malicious content related to Win32/Autoit.EB .

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via IM networks

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Bkav2006
  • System Configuration
  • Registry
  • Windows mask
  • [FireLion]"

The following programs are terminated:

  • game_y.exe
  • cmd.exe

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­BkavFw]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­IEProtection]

The worm may delete files stored in the following folders:

  • %homedrive%\­System Volume Information\­

The worm may execute the following commands:

  • cmd.exe /C AT /delete /yes
  • cmd.exe /c AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %install_dir%\­gphone.exe
  • cmd.exe /c cacls "%homedrive%\­system volume information" /e /g "%username%" :f

The worm quits immediately if any of the following folder(s)/file(s) is/are detected:

  • c:\­god.txt

The worm may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.