Virus Characteristics
This is a detection for worm written using AutoHotKey scripts and spreads via removable drives.
Upon execution the worm drops the following files:
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3 (56,467 bytes) --> Media file
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt (72 bytes) --> List of drives it tries to replicate
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico (318 bytes) --> Icon file
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt (8,743 bytes) --> AutoHotKey Script
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt (varies) --> List of drives worm is copied to
- %Temp%\MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe (239,104 bytes) --> Copy of worm
- c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is displayed
- c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
- c:\heap41a\Icon.ico (318 bytes) --> Icon file
- c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry manipulation
- c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox creation
- c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation / run other scripts
- c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
- c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when the drive is accessed
Creates the following registry keys to hook at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"
Disables the show hidden file options in folder options using the following registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000"
The worm also prevents the user from accessing certain websites like orkut.com and youtube.com and gives a message box as shown below.
