WORM_AGENT.STO
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives by connecting affected removable drives to a system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
758,272 bytes
EXE
Yes
05 Mar 2009
Arrival Details
This worm arrives by connecting affected removable drives to a system.
Installation
This worm drops the following copies of itself into the affected system:
- %System Root%\autorun.pif
- %Windows%\svchost.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
Service = "TrkNetsSvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
DeviceDesc = "Distributed Link Tracking Servers"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000\Control
ActiveService = "TrkNetsSvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
ImagePath = "%Windows%\svchost.exe -netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
DisplayName = "Distributed Link Tracking Servers"
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\svchost.exe = "%WINDOWS%\svchost.exe:*:Enabled:svchost.exe"
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- autorun.pif
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
open=autorun.pif
shell\1=´ò¿ª(&O)
shell\1\Command=autorun.pif
shell\2\=ä¯ÀÀ(&B)
shell\2\Command=autorun.pif
shellexecute=autorun.pif
Other Details
This worm deletes the initially executed copy of itself