For Consumer

Virus Profile: W32/Autorun.worm.aaeh

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Medium
Date Discovered: 11/28/2012
Date Added: 11/28/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Worm
DAT Required: 6890
Removal Instructions
   
 
 
   

Description

W32/Autorun.worm.aaeh is a worm that spreads by copying copies of itself in removable drives and add copies of itself in ZIP and RAR files. It attempts to hide directories in removable drives and replace with copies of itself with the same filename as the hidden directory. It constantly connects to a C&C server that sends out command to download additional malware or updated copies of itself.

Indication of Infection

  • Presence of previously mentioned files.
  • Presence of unexpected network connection to previously mentioned URLs.
  • Presence of previously mention registry entries.
  • Methods of Infection

    This worm spreads by creating copies of itself in removable storage devices and mounted network shares. It will create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled. 

    It changes the attributes of the directories in the affected drive to hidden and create copies of itself with the same filename as the hidden directory.

    It could also add copies of itself into ZIP and RAR archives.

       

    Virus Characteristics

    Upon execution it creates a copy of itself to the following path:

    • %UserProfile%\[random].exe

    Note: %UserProfile% refers to the current user’s profile folder.

    It also creates copies of itself in removable drives with the following filename:

    • Secret.exe
    • Sexy.exe
    • Porn.exe
    • Passwords.exe

    and also drops the following 0 byte file in removable drives:

    • x.mpeg

    It spreads by creating copies of itself in removable storage devices and mounted network shares. It will create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled.

    It changes the attributes of the directories in the affected drive to hidden and create copies of itself with the same filename as the hidden directory.

    It checks for files with the following extension in the removable drives and changes its attributes to hidden and create copies of itself with the same filename as the hidden file.

    • mp3
    • avi
    • wma
    • wmv
    • wav
    • mpg
    • mp4
    • doc
    • txt
    • pdf
    • xls
    • jpg
    • jpe
    • bmp
    • gif
    • tif
    • png

    It adds copies of itself in ZIP and RAR archives. Added copy have the following filename:

    • Secret.exe

    It will create the following to the registry to automatically execute at startup:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
      [malware filename] =” %UserProfile%\[Random name].exe /e"

    NOTE: the command line option /e shown above may differ as the worm updates this during different stages of its executions. Other possible options include "/g", "/r", "/p" and "/s".

    It disables the windows update by setting the NoAutoUpdate value to 1

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU 
      NoAutoUpdate = dword:00000001

    It sets the following registry value to keep the hidden files hidden:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      ShowSuperHidden = dword:00000000

    It connects to one of the following domains on either the tcp port 8000, 8003 or 9004:

    • ns1.helpupdater.net
    • ns1.helpupdater.net
    • ns1.helpchecks.net
    • ns1.helpupdated.com
    • ns1.helpupdated.net
    • ns1.helpupdated.org
    • ns1.helpupdatek.at
    • ns1.helpupdatek.eu
    • ns1.helpupdatek.tw
    • ns1.helpupdater.net
    • ns1.helpupdates.com
    • ns1.helpupdated.co
    • ns1.helpupdated.ne
    • ns1.helpupdated.or
    • ns1.helpupdatek.a
    • ns1.helpupdatek.e

    Once connected to the specific port, the C&C server will automatically send out a download command with link to the file to be downloaded.It will then attempt to download and execute the file pointed to by the link. 

       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95