WORM_AUTORUN.KMO

This worm creates folders where it drops its files. It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It downloads a file from a certain URL then renames it before storing it in the affected system.

Installation

This worm drops the following copies of itself into the affected system:

• %system%\36D0F1\2ADE6B.EXE

It drops the following files:

• %system%\10A216\krnln.fnr
• %system%\10A216\shell.fne
• %system%\10A216\eAPI.fne
• %system%\10A216\internet.fne
• %system%\10A216\spec.fne
• %system%\10A216\RegEx.fnr
• %system%\10A216\dp1.fne
• %system%\10A216\com.run
• %system%\B55985\0f10.inf
• %system%\B55985\16eb.inf
• %system%\B55985\16eb.EDT

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It uses the following names for the copies it drops:

• ¡¡.exe
• ¡¡¡¡.exe
• ¡¡¡¡¡¡.exe
• Notepad.exe

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=Notepad.exe
shell\1=´ò¿ª(&O)
shell\1\Command=Notepad.exe
shell\2\=ä¯ÀÀ(&B)
shell\2\Command=Notepad.exe
shellexecute=Notepad.exe

Download Routine

This worm downloads files from the following URLs then renames them before storage in the affected system:

• http://www.{BLOCKED}8.com/f/tc13.gif - detected as WORM_FLYSTUD.SMA
• http://www.{BLOCKED}8.com/f/gc13.gif - detected as WORM_FLYSTUD.SMA