For Home

Virus Profile: W32/Autorun.worm.cj

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/2/2008
Date Added: 5/2/2008
Origin: N/A
Length: varies
Type: Virus
Subtype: Worm
DAT Required: 5287
Removal Instructions
   
 
 
   

Description

This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

File Information –

    • MD5   - bf35c5e7fca040e42f8ad5bd4eaabd78
    • SHA1 - 29912ea135df074924b090dac643f3b0942faf11

Aliases –

    • BitDefender - Trojan.Generic.KD.170515
    • DrWeb - Win32.HLLW.Podol.1
    • GData - Trojan.Generic.KD.170515
    • Symantec - Trojan horse

Indication of Infection

    • Presence of above mentioned files and registry keys
    • Presence of above mentioned activities.
    • Also it connects to the following IP addresses
      • 82.192.[removed]
      • 188.138.[removed]

 

Methods of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

   

Virus Characteristics

Upon execution, the Worm injects into the legitimate process spoolsv.exe and connects to the IP Address 94.75.[removed] through port 80 to download other malicious files.

The worm copies itself into below mentioned location:

    • %Temp%\srv674.tmp

Also it drops the following file:

    • %Temp%\srv674.ini

The following registry keys have been added to the system

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv674
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv674
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv674\parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv674\Security
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld

The following registry values have been added

    • HKEY_LOCAL_MACHINEM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv674\
      = "service"
    • HKEY_LOCAL_MACHINEM\SYSTEM\ControlSet001\Services\srv674\Security\
      Security  = path of the malware
    • HKEY_LOCAL_MACHINEM\SYSTEM\ControlSet001\Services\srv674\parameters\servicedll = "%Temp%\srv674.dll"
    • HKEY_LOCAL_MACHINEM\SYSTEM\ControlSet001\Services\srv674\
      Type = 0x00000020
      Start = 0x00000002
      ErrorControl = 0x00000001
      ImagePath = "%systemroot%\system32\svchost.exe -k netsvcs"
      DisplayName = "srv674"
      ObjectName = "LocalSystem"
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\
      TLDUpdates = 0x00000001
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0x00000000
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\
      IETldDllVersionHigh = 0x00080000
      IETldDllVersionLow = 0x177149EB
      IETldVersionHigh = 0x00000001
      IETldVersionLow = 0x00000003
      StaleIETldCache = 0x00000001
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
      CachePath = "%USERPROFILE%\IETldCache"
      CachePrefix = "ietld ="
      CacheLimit = 0x00002000
      CacheOptions = 0x00000009
      CacheRepair = 0x00000000
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
      AutoDetect = 0x00000000
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\BrowserEmulation\
      TLDUpdates = 0x00000001
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\IETld\
      IETldDllVersionHigh = 0x00080000
      IETldDllVersionLow = 0x177149EB
      IETldVersionHigh = 0x00000001
      IETldVersionLow = 0x00000003
      StaleIETldCache = 0x00000001
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\
      CachePath = "%USERPROFILE%\IETldCache"
      CachePrefix = "ietld ="
      CacheLimit = 0x00002000
      CacheOptions = 0x00000009
      CacheRepair = 0x00000000
    • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
      AutoDetect = 0x00000000

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

[autorun]
Action = Open folder to view files
rundll32.exe setup50039.fon
shell\open\command = rundll32.exe setup50039.fon
Icon = %windir%\system32\shell32.dll,4
useautoplay = 1

Also it creates the following short cut files into the removable drives:

    • [Removable Drive:]\pornmovs.lnk
    • [Removable Drive:]\myporno.avi.lnk
    • [Removable Drive:]\setup50039.lnk

The following folder has been added to the system
    • [System Drive:]\Documents and Settings\LocalService\IETldCache

Note: [%Temp% - C:\Documents and Settings\UserName\Local Settings\Temp]

 

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.