arrow_back
search
close

WORM_AUTORUN.EUB

October 09, 2012
 Analysis by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself in all removable and physical drives found in the system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

524,288 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

23 Aug 2011

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\ctfmem.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
cftmam = %System%\ctfmem.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
ctfmam = %System%\ctfmem.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
ctfmam = %System%\ctfmem.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
cftm = %System%\cftm.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
cftm = %System%\cftm.exe

HKEY_LOCAL_MACHINE\oftware\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
cftm = %System%\cftm.exe

Propagation

This worm drops copies of itself in all removable and physical drives found in the system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open={malware name}
shell\open\Command={malware name}
shell\open\Default={malware name}
shell\explore\Command={malware name}

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://www.{BLOCKED}myip.com/automation/n09230945.asp