Worm.Win32.ONLINEG.BJII
Worm:Win32/Taterf.AA(Microsoft), Trojan-GameThief.Win32.OnLineGames.tne(Kaspersky)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
103,516 bytes
EXE
No
04 Mar 2011
Arrival Details
This Worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Worm drops the following copies of itself into the affected system:
- %System Root%\b.com
It drops the following files:
- %System%\amvo0.dll
- %System%\{random filename}.sys
- %System%\autorun.inf
- %User Temp%\r894w8s.dll
- %User Temp%\{random filename}.sys
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)
Autostart Technique
This Worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
amva = %System%\amvo.exe
Other System Modifications
This Worm modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 0
Propagation
This Worm drops the following copies of itself in all physical and removable drives:
- {Drive Letter}:\b.com
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
;4s5wiksiwk9olKd2AKrDikw4rr3k1a5aikKwwadr1koJjc3qLkSid6esSwi4rwe3ok2lomKZf3e5p
[AutoRun]
;klp4a3d93sowof5SJKO2a1olceA
open=b.com
;idokailDw17kl8ZwKSc21lwdDse34iDlaXlao9s7wsKjAJdAKlalZa2rrakS1ki244qkKFfpq4koJ3LLlkAqaLdA4s30iDrisiefS2nsss8a1ds9rqpdA5Sa51a
shell\open\Command=b.com
;Zsf148pkK3JKLAodwLDrsl03cjrL32Jljksia8we2ekfkok24wkjiDs4iD3
shell\open\Default=1
;Jra5jco24KODiwaLl1K5awk5Aaskrksi4ld4fA29Dio2LsD1fjko3eesS3kwidjrA7qCd33J4ia6ow4sK0oZa283
shell\explore\Command=b.com
;aAs4wcK9rfqDe5akoiAs52j