WORM_AUTORUN.ENI

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It does not have any backdoor routine.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

It does not have any information-stealing capability.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %System Root%\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following non-malicious file:

• %System Root%\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders with attributes set to System and Hidden to prevent users from discovering and removing its components:

• %System Root%\Recycle
• %System Root%\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987893}
StubPath = "%System Root%\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe"

Other System Modifications

This worm adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987893}

Propagation

This worm creates the following folders in all removable drives:

• {Drive Letter}:\Recycle
• {Drive Letter}:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341

It drops the following copy(ies) of itself in all removable drives:

• {Drive Letter}:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe
shell\open\default=1

Backdoor Routine

This worm does not have any backdoor routine.

Download Routine

This worm connects to the following malicious URLs:

• http://www.{BLOCKED}zy.com

As of this writing, the said sites are inaccessible.

Information Theft

This worm does not have any information-stealing capability.

NOTES:

Other Details

This worm does not have rootkit capabilities.

This worm does not exploit any vulnerability.