For Home

Virus Profile: W32/Autorun.worm.dw

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 5/9/2008
Date Added: 8/7/2008
Origin: N/A
Length: Varies
Type: Virus
Subtype: Worm
DAT Required: 5293
Removal Instructions
   
 
 
   

Description

-- Update November 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/11/20/us_army_usb_ban/

--

 W32/Autorun.worm.dw has been observed to have worm like abilities to spread across drives

Indication of Infection

Presence of the above Autorun.inf file with a reference to "InstallM".

Methods of Infection

Auto detection of USB sticks may cause the DLL and autorun files to be copied to the USB
   

Virus Characteristics

W32/Autorun.worm.dw was previously classified as Downloader-BIP . This Autorun worm has the ability to infect attached drives such as USBs when they are autodetected.

The following observations were made during the time of testing.

Files have been observed to be downloaded from the following domain:

  • hxxp://worldnews.ath.cx/update/[removed]

The following files were added

  • %SYSTEM%\[Random Named DLL File]
  • %SYSTEM%\mswmpdat.tlb
  • %SYSTEM%\winview.ocx

On execution, it adds the following registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg

The following key/value pairs were added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • default = %SYSTEM%\[Random Named DLL File]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
    • default =  "Java.Runtime.52"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • UpdateCheck = {8F147B28-EF39-44A0-B6EC-3CC6F2F08794}

The above keys allow injecting code into Explorer. The injected code tracks drives such as USB's. If a drive is detected, the worm creates an Autorun.inf file and copies the Random Named DLL to the drive with a new random name. The Autorun file refers this new random DLL's function "InstallM".  Everytime the drive is opened "InstallM" is executed which facilitates the worms spread.


 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.