WORM_IMAUT.IA

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself into all the removable drives connected to an affected system.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\WinSit.exe
• %System%\config\Win.exe
• %Windows%\dc.exe
• %Windows%\SVIQ.EXE
• %Windows%\Help\Other.exe
• %Windows%\inf\Other.exe
• %Windows%\system\Fun.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following files:

• %Windows%\wininit.ini
• %System%\Penx.dat
• %System%\Xpen.dat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
imscmig = "%Windows%\imscmig.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dc2k5 = "%Windows%\SVIQ.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Fun = "%Windows%\system\Fun.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
dc = "%Windows%\dc.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
run = "%System%\config\Win.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
load = "%Windows%\inf\Other.exe"

(Note: The default value data of the said registry entry is "".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %System%\WinSit.exe"

(Note: The default value data of the said registry entry is "Explorer.exe".)

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

Download Routine

This worm connects to the following malicious URLs:

• http://dungcoivb.{BLOCKED}pages.com/ND.txt

As of this writing, the said sites are inaccessible.

NOTES:
Copies of this worm use the names of the folders located on these removable drives as their file names.