TR/Autorun.27648 - Trojan

Virus:	TR/Autorun.27648
Date discovered:	19/05/2008
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	27648 Bytes
MD5 checksum:	25df082e988842e1604b5a893572a083
IVDF version:	7.00.04.62

General

Method of propagation:
• Mapped network drives


Aliases:
• Mcafee: W32/Autorun.worm.f
• Kaspersky: Worm.Win32.AutoRun.cpi
• F-Secure: Worm.Win32.AutoRun.cpi
• Sophos: W32/Autorun-BC
• Grisoft: Worm/Generic.FNV
• Eset: Win32/AutoRun.GR
• Bitdefender: Worm.Autorun.Delf.H


Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003


Side effects:
• Disable security applications
• Downloads files
• Drops files
• Lowers security settings
• Registry modification

Files

It copies itself to the following locations:
• %WINDIR%\system.exe
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Explorer.exe
• %drive%\auto.exe



The following files are created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%




It tries to download some files:

– The locations are the following:
• http://72.232.108.82/~grimsby/**********/button1.jpg
• http://72.232.108.82/~grimsby/**********/button1.pdf
• http://72.232.108.82/~grimsby/**********/button1.png
• http://72.232.141.84/~cgitnet/**********/ChangeLog.pdf
• http://72.232.141.84/~cgitnet/**********/ChangeLog.png
• http://72.232.141.84/~cgitnet/**********/ChangeLog.txt
• http://72.232.208.150/~aryacdc/**********/toc.gif
• http://72.232.208.150/~aryacdc/**********/toc.pdf
• http://72.232.208.150/~aryacdc/**********/toc.png
• http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.pdf
• http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.png
• http://206.221.179.205/~ampedmed/Forums/**********/xand/upgrade.tpl
• http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.pdf
• http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.png
• http://216.246.30.66/~mkshost/forums/**********/subSilver/upgrade.tpl
At the time of writing this file was not online for further investigation.



It tries to executes the following file:

– Filename:
• %PROGRAM FILES%\Internet Explorer\iexplore.exe
using the following command line arguments: http://70.86.197.82/~ohnishi/**********/test2.htm

Registry

The following registry keys including all values and subkeys are removed:
• [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}]
• [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}]



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Bkav2006.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IEProt.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\bdss.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\vsserv.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\bdagent.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\xcommsvr.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\livesrv.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\worm2007.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Kav.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVOL.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVFW.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TBMon.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kav32.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCAPP.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\EGHOST.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kavsvc.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\VPTray.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RAVMON.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KavPFW.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SHSTAT.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MAILMON.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MCAGENT.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPLUS.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rtvscan.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Nvsvc32.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Kvsrvxp.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KpopMon.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RfwMain.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWATCHUI.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MCVSESCN.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MSKAGENT.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kavstart.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RAVTIMER.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RRfwMain.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FireTray.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpdaterUI.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXp_1.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavService.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\icesword.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\cmd.exe]
• Debugger = system.exe

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\far.exe]
• Debugger = system.exe



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• Shell = Explorer.exe
• Userinit = %SYSDIR%\userinit.exe
New value:
• Shell = Explorer.exe, System
• Userinit = %SYSDIR%\userinit.exe, System

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
New value:
• content url = http://clickmanu.com

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
New value:
• content url = http://clickmanu.com

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableTaskMgr = 1
• DisableRegistryTools = 1

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableTaskMgr = 1
• DisableRegistryTools = 1

Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
Old value:
• Start Page = %user defined settings%
New value:
• Start Page = http://clickmanu.com

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoDriveTypeAutoRun = dword:00000091
• NoRun = 1
• NoFolderOptions = 1

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• Hidden = 2
• ShowSuperHidden = 0
• HideFileExt = 1

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• CheckedValue = 0

– [HKCU\Software\Microsoft\Command Processor]
New value:
• EnableExtensions = 0

– [HKCU\Software\Microsoft\Internet Explorer\New Windows]
New value:
• PopupMgr = 0

Process termination

Disallow run processes that contain one of the following strings in the filename:
• Bkav2006.exe; IEProt.exe; bdss.exe; vsserv.exe; bdagent.exe;
xcommsvr.exe; livesrv.exe; worm2007.exe; PFW.exe; Kav.exe; KVOL.exe;
KVFW.exe; TBMon.exe; kav32.exe; kvwsc.exe; CCAPP.exe; EGHOST.exe;
KRegEx.exe; kavsvc.exe; VPTray.exe; RAVMON.exe; KavPFW.exe;
SHSTAT.exe; RavTask.exe; TrojDie.kxp.exe; Iparmor.exe; MAILMON.exe;
MCAGENT.exe; KAVPLUS.exe; RavMonD.exe; Rtvscan.exe; Nvsvc32.exe;
KVMonXP.exe; Kvsrvxp.exe; CCenter.exe; KpopMon.exe; RfwMain.exe;
KWATCHUI.exe; MCVSESCN.exe; MSKAGENT.exe; kvolself.exe;
KVCenter.kxp.exe; kavstart.exe; RAVTIMER.exe; RRfwMain.exe;
FireTray.exe; UpdaterUI.exe; KVSrvXp_1.exe; RavService.exe;
icesword.exe; cmd.exe; far.exe

List of services that are disabled:
• sharedaccess; RsCCenter; RsRavMon; KVWSC; KVSrvXP; McAfeeFramework;
McShield; McTaskManager; navapsvc; wscsvc; KPfwSvc; SNDSrvc; ccProxy;
ccEvtMgr; ccSetMgr; SPBBCSvc; Symantec Core LC; NPFMntor; MskService;
FireSvc

File details

Programming language:
The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
http://www.avira.com/en/threats/section/fulldetails/id_vir/4192/tr_autorun.27648.html