WORM_AUTORUN.IJB

This worm drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\{random filename}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

• %User Temp%\E_4

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Other System Modifications

This worm deletes the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\TypedURLs

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=Recycled.exe
shell\1=´ò¿ª(&O)
shell\1\Command=Recycled.exe
shell\2\=ä¯ÀÀ(&B)
shell\2\Command=Recycled.exe
shellexecute=Recycled.exe

Dropping Routine

This worm drops the following files:

• %System%\ul.dll - non-malicious file
• %System%\og.dll - non-malicious file
• %System%\og.EDT - non-malicious file
• %System%\krnln.fnr - also detected as WORM_AUTORUN.IJB
• %System%\shell.fne - also detected as WORM_AUTORUN.IJB
• %System%\eAPI.fne - also detected as WORM_AUTORUN.IJB
• %System%\internet.fne - also detected as WORM_AUTORUN.IJB
• %System%\spec.fne - also detected as WORM_AUTORUN.IJB
• %System%\RegEx.fnr - also detected as WORM_AUTORUN.IJB
• %System%\dp1.fne - also detected as WORM_AUTORUN.IJB
• %System%\com.run - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\krnln.fnr - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\shell.fne - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\eAPI.fne - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\internet.fne - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\spec.fne - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\RegEx.fnr - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\dp1.fne - also detected as WORM_AUTORUN.IJB
• %User Temp%\E_4\com.run - also detected as WORM_AUTORUN.IJB
• %User Startup%\{ random filename}.lnk - non-malicious file

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

NOTES:

Other Details

Based on analysis of the codes, it has the following capabilities:

• It searches for folders in all physical and removable drives then drop copies of itself as {folder name}.exe. It then sets the attribute of the original folder to Hidden and System to trick users into thinking that the dropped copy is the legitimate folder.