WORM_BLACKCONT.C
Windows 2000, XP, Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
299,008 bytes
PE
Yes
19 Aug 2010
Installation
This worm drops the following copies of itself into the affected system:
- %System%\HPWuSchdq.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
HP Software Updater v1.2 = %System%\HPWuSchdq.exe
Other System Modifications
This worm adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UACDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0
Propagation
This worm drops copies of itself into all the removable drives connected to an affected system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1