Win32/AutoRun.Agent.ABK [Threat Name] go to Threat

Win32/AutoRun.Agent.ABK [Threat Variant Name]

Category worm
Size 61448 B
Aliases Net-Worm.Win32.Kolab.afxa (Kaspersky)
  W32/Autorun.worm.aabl.virus (McAfee)
  Worm:Win32/Rorpian (Microsoft)
  W32.SillyFDC.BDP (Symantec)
  Win32:Zboter-E (Avast)
Short description

Win32/AutoRun.Agent.ABK is a worm that spreads via shared folders and removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %temp%\­srv%variable%.tmp

A string with variable content is used instead of %variable% .


The worm creates the following file:

  • %temp%\­srv%variable%.ini

The worm registers itself as a system service using the following name:

  • srv%variable%

This causes the worm to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­srv%variable%\­Paramters]
    • "servicedll" = "%temp%\­srv%variable%.tmp"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "netsvc" = "%originalvalue%, srv%variable%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­srv%variable%]
    • "ImagePath" = "%systemroot%\­system32\­svchost.exe -k netsvcs"
    • "ObjectName" = "LocalSystem"
    • "ErrorControl" = 1
    • "Start" = 2
    • "Type" = 32
    • "ServiceDll" = "%temp%\­srv%variable%.tmp"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­srv%variable%]
    • "(Default)" = "service"
Spreading on removable media

Win32/AutoRun.Agent.ABK is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • setup%variable%.fon

A string with variable content is used instead of %variable% .


The following files are dropped in the same folder:

  • myporno.avi.lnk
  • pornmovs.lnk
  • setup%variable%.lnk

These are shortcuts to files of the worm .


It exploits the CVE-2010-2568 vulnerability.


The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


Spreading

The worm tries to copy itself into shared folders of machines on a local network.


It copies itself into folders shared by remote machines using the following name:

  • setup%variable%.fon

A string with variable content is used instead of %variable% .


The following files are dropped in the same folder:

  • myporno.avi.lnk
  • pornmovs.lnk
  • setup%variable%.lnk

These are shortcuts to files of the worm .


It exploits the CVE-2010-2568 vulnerability.


Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (4) URLs. The HTTP protocol is used.


The worm can download a file from the Internet. The file is stored in the following location:

  • %temp%\­%variable%.tmp

The file is then executed.


A string with variable content is used instead of %variable% .


The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Session Manager\­PendingFileNameOperations]

It connects to remote machines and tries to exploit the CVE-2008-4250 .


If successful, the remote computer may attempt to download the copy of the worm from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.