Win32/Tifaut [Threat Name] go to Threat

Win32/Tifaut.B [Threat Variant Name]

Category worm
Size 511948 B
Aliases Worm.Win32.AutoIt.mm (Kaspersky)
  W32.Harakit (Symantec)
  Worm:AutoIt/Renocide.gen!A (Microsoft)
Short description

Win32/Tifaut.B is a worm that spreads by copying itself into the root folders of available drives. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using UPX .

Installation

When executed the worm copies itself in the following locations:

  • %system%\­csrcs.exe
  • %system%\­cftmem.exe
  • %system%\­cftm.exe
  • %system%\­alokium.exe
  • %system%\­%variable1%.exe

The following files are dropped:

  • %system%\­autorun.inf
  • %system%\­%variable1%.au3
  • %temp%\­aut%variable2%.tmp
  • %temp%\­%variable3%
  • %temp%\­suicide.bat

A string with variable content is used instead of %variable1-3% .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "csrcs" = "%system%\­csrcs.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "cftmem" = "%system%\­cftmem.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "cftmem" = "%system%\­cftmem.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "cftmem" = "%system%\­cftmem.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe csrcs.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "SupperHidden" = 0
    • "ShowSupperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 1

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filepath%" = "%filepath:*:Enabled:Windows Life Messenger"

The performed data entry creates an exception in the Windows Firewall program.

Spreading

The worm copies itself into the root folders of local and remote drives.


The following names are used:

  • %drive%\­alokium.exe
  • %drive%\­%random%.exe

A string with variable content is used instead of %random% .


The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm creates the following file:

  • %drive%\­khq (0 B)
Other information

The worm acquires data and commands from a remote computer or the Internet.


It can be controlled remotely.


The worm contains a list of (4) URLs. The HTTP protocol is used.


It can execute the following operations:

  • create Registry entries
  • delete Registry entries
  • collect information about the operating system used
  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • delete cookies
  • remove itself from the infected computer
  • connect to remote computers to a specific port

The worm connects to the following addresses:

  • http://www.whatismyip.com/automation/n09230945.asp
  • http://checkip.dyndns.org/?rnd1=

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­DRM\­amty]
    • "%variable4%" = "%variable5%"

A string with variable content is used instead of %variable4-5% .


The following programs are terminated:

  • TeaTimer.exe
  • cmd.exe
  • net.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.