WORM_RENOCIDE.DW
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
940,890 bytes
EXE
No
10 Apr 2012
Arrival Details
This worm arrives by connecting affected removable drives to a system.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\38653843.exe
- %System%\csrcs.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It terminates the execution of the copy it initially executed and executes the copy it drops instead.
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
csrcs = "%System%\csrcs.exe"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe csrcs.exe"
(Note: The default value data of the said registry entry is Explorer.exe.)
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
ilop = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix1 = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
exp1 = "{random hex}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
dreg = "{random hex}"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- {random}.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
;{garbage characters}
[AuTOrUn
;{garbage characters}
open={random}.exe
;{garbage characters}
shell\open\Command={random}.exe
;{garbage characters}
shell\open\Default=1
;{garbage characters}
Other Details
This worm connects to the following URL(s) to get the affected system's IP address:
- http://www.whatismyip.com/automation/n09230945.asp
It connects to the following possibly malicious URL:
- http://{BLOCKED}fdone.com:4800/po.php
- http://{BLOCKED}fdone.com:4800/banner.gif
- http://{BLOCKED}.19.236:4700/fruits.htm
NOTES:
It accesses the following torrent sites:
- http://thepiratebay.org/top/401
- http://thepiratebay.se/top/401
- http://isohunt.com/torrents/?iht=4&ihs1=2&age=0