WORM_OTORUN.CVK

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

It retrieves specific information from the affected system.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\dllmgr.exe
• %System Root%\OGa\RD\GOx.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\OGa
• %System Root%\OGa\RD

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Bdea

It stays memory-resident by creating remote threads:

• %Windows%\explorer.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Dll Management Service = "dllmgr.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Active Setup\Installed Components\{CLSID}

It adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Active Setup\Installed Components\{CLSID}
StubPath = "%System Root%\OGa\RD\GOx.exe"

Propagation

This worm creates the following folders in all removable drives:

• {Removable Drive Letter}:\OGa
• {Removable Drive Letter}:\OGa\RD

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=OGa\RD\GOx.exe
;ªÓÈÅÌÌüÏÐÅÎüÄÅÆÁÕÌԝ‘

;Fuck U Motha Fucka I Could have been ur Dad but the man who fucked ur mom had more change than me.
action=Open folder to view files
shell\open=Open
shell\open\command=OGa\RD\GOx.exe
shell\open\default=1

Backdoor Routine

This worm connects to any of the following IRC server(s):

• {BLOCKED}k.{BLOCKED}nix.net

It executes the following commands from a remote malicious user:

• Create Process
• Propagates itself via instant messaging applications such as MSN, AIM and Triton
• Download files/updated copy of itself
• Join IRC channel
• Terminates itself

As of this writing, the said servers are currently inaccessible.

Dropping Routine

This worm drops the following files:

• %System Root%:\OGa\RD\DesKTop.ini
• {Removable Drive Letter}:\OGa\RD\DesKTop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Information Theft

This worm retrieves the following information from the affected system:

• OS Version
• Host Name
• IP address
• Computer Name

Other Details

This worm uses the following credentials when accessing its IRC server:

• USER NAME: rmzerm3b1tch

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.