Win32/HoudRat [Threat Name] go to Threat
Win32/HoudRat.A [Threat Variant Name]
| Category | trojan,worm |
| Size | 3617960 B |
| Aliases | Worm.Win32.AutoIt.aku (Kaspersky) |
| Worm:Win32/Usbitna.A (Microsoft) | |
| W32/Autorun.worm.ga.virus (McAfee) |
Short description
The worm serves as a backdoor. It can be controlled remotely. It is written in AutoIt .
Installation
When executed, the worm copies itself into the following location:
- C:\AntiShortCut\AntiUsbShortCut.zip
The worm creates the following files:
- C:\AntiShortCut\AntiUsb.exe
- C:\AntiShortCut\BrowsingHistoryView.exe (336480 B, Win32/BrowsingHistoryView.A)
- C:\AntiShortCut\BrowsingHistoryView.cfg (596 B)
The worm creates copies of the following files (source, destination):
- %currentfolder%\*.*, C:\AntiShortCut\*.*
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "AntiShortCutUpdate" = "C:\AntiShortCut\AntiUsb.exe C:\AntiShortCut\AntiUsbShortCut.zip"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "AntiUsbShortCut" = "cmd.exe /c start C:\AntiShortCut\AntiUsb.exe C:\AntiShortCut\AntiUsbShortCut.zip & exit"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "AntiShortCutUpdate" = "C:\AntiShortCut\AntiUsb.exe C:\AntiShortCut\AntiUsbShortCut.zip"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "AntiUsbShortCut" = "cmd.exe /c start C:\AntiShortCut\AntiUsb.exe C:\AntiShortCut\AntiUsbShortCut.zip & exit"
The worm creates the following files:
- %commonstartup%\AntiWormUpdate.lnk
- %commonstartup%\AntiUsbWormUpdate.lnk
These are shortcuts to files of the worm .
This causes the worm to be executed on every system start.
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
The worm terminates its execution if it detects that it's running in a specific virtual environment.
The worm quits immediately if it detects a running process containing one of the following strings in its name:
- avguard.exe
- avp.exe
- BehaviorDumper.exe
- FakeHTTPServer.exe
- FakeServer.exe
- FortiTracer.exe
- fsbwsys.exe
- guninraik.exe
- kavmm.exe
- kavsvc.exe
- nod32kui.exe
- procmon.exe
- procmon.exe
- SbieSvc.exe
- tcpview.exe
- VBoxService.exe
- VBoxTray.exe
- vmacthlp.exe
- vmtoolsd.exe
- VMwareService.exe
- VMwareUser.exe
- VMwareUser.exe
- zonealarm.exe
The worm quits immediately if any of the following folders/files is detected:
- C:\CWSandbox\
- C:\python26\
- C:\cuckoo\
The worm quits immediately if it detects a running process containing one of the following strings in its path:
- C:\virus\
- artifact
- sample
Spreading
Win32/HoudRat.A is a worm that spreads via removable media.
The worm copies itself to the following locations:
- %drive%\AntiUsbShortCut\AntiUsbShortCut.zip
The following file is created in the same folders:
- AntiUsb.exe
The worm creates the following files:
- %drive%\My Pictures.lnk
- %drive%\My Videos.lnk
- %drive%\My Downloads.lnk
These are shortcuts to files of the worm .
The worm searches for files and folders in the root folders of removable drives.
When the worm finds a file matching the search criteria, it creates a new file.
The file is a shortcut to a malicious file.
The name of the file may be based on the name of an existing file or folder.
Information stealing
The worm collects the following information:
- web browser history
- user name
- computer name
- operating system version
- installed antivirus software
The worm is able to log keystrokes.
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (6) URLs. The worm generates various URL addresses.
The HTTP, TCP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- execute shell commands
- capture screenshots
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- send the list of running processes to a remote computer
- send requested files
- terminate running processes
- shut down/restart the computer
- visit a specific website
- display a dialog window
- stop itself for a certain time period
The worm may display the following message:
