BAT_AUTORUN.AA
Worm:BAT/Autorun.AE(Microsoft), BAT/Autorun.BZ worm (Eset), Worm.BAT.Autorun (Ikarus)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm may arrive bundled with malware packages as a malware component.
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops. It is a component of other malware.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It modifies certain registry entries to hide Hidden files.
TECHNICAL DETAILS
3912 bytes
BAT
No
19 Nov 2012
Arrival Details
This worm may arrive bundled with malware packages as a malware component.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\windoxp.cmd
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.
It is a component of other malware.
Autostart Technique
The scheduled task executes the malware every:
- 1 minute from 7:43 for 24 hours every day, starting 11/21/2012
Other System Modifications
This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegistredOwner = "KUZC-R"
(Note: The default value data of the said registry entry is {random computer name}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegisteredOrganization = "Mexico (Veracruz)"
(Note: The default value data of the said registry entry is {random}.)
Propagation
This worm drops the following copies of itself in all physical and removable drives:
- {Drive Letter}\windoxp.cmd
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
shellexecute=windoxp.cmd
icon=icon.ico
Process Termination
This worm terminates the following processes if found running in the affected system's memory:
- Internet Explorer
- Mozilla Firefox
- MSN Messenger
- Task Manager
Other Details
This worm modifies the following registry entries to hide Hidden files:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "00000000"
(Note: The default value data of the said registry entry is 00000001.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "00000000"
(Note: The default value data of the said registry entry is 00000001.)