WORM_OTORUN.ED

This worm may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself in all removable and physical drives found in the system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a hidden Internet Explorer window.

It also has rootkit capabilities, which enables it to hide its processes and files from the user.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This worm may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following files:

• %Windows%\Fonts\ielcq.dll
• %Windows%\Fonts\swvwc.dll
• %User Profile%\Local Settings\Temp~swv.tmp

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Program Files%\Common Files\SysAnti.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It injects threads into the following normal process(es):

• svchost.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
SysAnti = "%Program Files%\Common Files\SysAnti.exe"

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\swv
ImagePath = "%User Profile%\Local Settings\Temp~swv.tmp"

Propagation

This worm drops copies of itself in all removable and physical drives found in the system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
Open=SysAnti.exe
Shell\Open=´ò¿ª(&O)
Shell\Open\Command=SysAnti.exe
Shell\Open\Default=1
Shell\Explore=×ÊÔ´¹ÜÀíÆ÷(&X)
Shell\Explore\Command=SysAnti.exe

Backdoor Routine

This worm opens a hidden Internet Explorer window.

Rootkit Capabilities

This worm also has rootkit capabilities, which enables it to hide its processes and files from the user.

Download Routine

This worm connects to the following malicious URLs:

• {BLOCKED}m.com.cn
• www.{BLOCKED}51.net.cn

HOSTS File Modification

This worm overwrites the system's HOSTS files to prevent users from accessing the following websites:

• www.360.cn
• www.360safe.cn
• www.360safe.com
• www.chinakv.com
• www.rising.com.cn
• rising.com.cn
• dl.jiangmin.com
• jiangmin.com
• www.jiangmin.com
• www.duba.net
• www.eset.com.cn
• www.nod32.com
• shadu.duba.net
• union.kingsoft.com
• www.kaspersky.com.cn
• kaspersky.com.cn
• virustotal.com
• virscan.org
• www.virscan.org
• www.kaspersky.com
• www.cnnod32.cn
• www.lanniao.org
• www.nod32club.com
• www.dswlab.com
• bbs.sucop.com
• www.virustotal.com
• tool.ikaka.com
• 360.qihoo.com
• www.kafan.cn
• bbs.kafan.cn

NOTES:

It creates the following registry entries to hijack several applications:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\{application name}
Debugger = "ntsd -d"

The values in {application name} are as follows:

• 360Safe.exe
• 360hotfix.exe
• 360rpt.exe
• 360safebox.exe
• 360tray.exe
• AgentSvr.exe
• AntiArp.exe
• AppSvc32.exe
• AutoGuarder.exe
• AvMonitor.exe
• CCenter.exe
• FTCleanerShell.exe
• FileDsty.exe
• HijackThis.exe
• IceSword.exe
• Iparmor.exe
• IsHelp.exe
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• KISLnchr.exe
• KMFilter.exe
• KMailMon.exe
• KPFW32.exe
• KPFW32X.exe
• KPFWSvc.exe
• KRepair.COM
• KVCenter.kxp
• KVMonXP.kxp
• KVMonXP_1.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• KaScrScn.SCR
• KsLoader.exe
• KvDetect.exe
• KvReport.kxp
• KvXP.kxp
• KvXP_1.kxp
• KvfwMcl.exe
• LiveUpdate360.exe
• MagicSet.exe
• NAVSetup.exe
• PFW.exe
• PFWLiveUpdate.exe
• QHSET.exe
• RSTray.exe
• Ras.exe
• Rav.exe
• RavCopy.exe
• RavMon.exe
• RavMonD.exe
• RavStore.exe
• RavStub.exe
• RavTask.exe
• RegClean.exe
• RegEx.exe
• RfwMain.exe
• RsAgent.exe
• RsMain.exe
• Rsaupd.exe
• SREng.exe
• SREngPS.exe
• ScanFrm.exe
• SmartUp.exe
• SysSafe.exe
• Syscheck2.exe
• ToolsUp.exe
• TrojDie.kxp
• TrojanDetector.exe
• Trojanwall.exe
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• UpLive.exe
• WoptiClean.exe
• adam.exe
• arvmon.exe
• autoruns.exe
• avgrssvc.exe
• avp.com
• avp.exe
• ccSvcHst.exe
• findt2005.exe
• iparmo.exe
• isPwdSvc.exe
• kabaload.exe
• killhidepid.exe
• kvfw.exe
• kvol.exe
• kvolself.exe
• kvupload.exe
• kvwsc.exe
• loaddll.exe
• mcconsol.exe
• mmqczj.exe
• mmsk.exe
• nod32krn.exe
• nod32kui.exe
• ravt08.exe
• rfwProxy.exe
• rfwcfg.exe
• rfwolusr.exe
• rfwsrv.exe
• rsnetsvr.exe
• runiep.exe
• safebank.exe
• safeboxTray.exe
• safelive.exe
• scan32.exe
• shcfg32.exe
• smartassistant.exe
• symlcsvc.exe
• syscheck.exe
• zxsweep.exe