Analysis by: Rika Joi Gregorio
ALIASES:

Worm:BAT/Autorun.AE(Microsoft), BAT/Autorun.BZ worm (Eset), Worm.BAT.Autorun (Ikarus)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm may arrive bundled with malware packages as a malware component.

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops. It is a component of other malware.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies certain registry entries to hide Hidden files.

  TECHNICAL DETAILS

File Size: 3912 bytes
File Type: BAT
Memory Resident: No
Initial Samples Received Date: 19 Nov 2012

Arrival Details

This worm may arrive bundled with malware packages as a malware component.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\windoxp.cmd

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It is a component of other malware.

Autostart Technique

The scheduled task executes the malware every:

  • 1 minute from 7:43 for 24 hours every day, starting 11/21/2012

Other System Modifications

This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegistredOwner = "KUZC-R"

(Note: The default value data of the said registry entry is {random computer name}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegisteredOrganization = "Mexico (Veracruz)"

(Note: The default value data of the said registry entry is {random}.)

Propagation

This worm drops the following copies of itself in all physical and removable drives:

  • {Drive Letter}\windoxp.cmd

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=windoxp.cmd
icon=icon.ico

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • Internet Explorer
  • Mozilla Firefox
  • MSN Messenger
  • Task Manager

Other Details

This worm modifies the following registry entries to hide Hidden files:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "00000000"

(Note: The default value data of the said registry entry is 00000001.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "00000000"

(Note: The default value data of the said registry entry is 00000001.)