BAT_AUTORUN.AA
Worm:BAT/Autorun.AE(Microsoft), BAT/Autorun.BZ worm (Eset), Worm.BAT.Autorun (Ikarus)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm may arrive bundled with malware packages as a malware component.
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops. It is a component of other malware.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It modifies certain registry entries to hide Hidden files.
TECHNICAL DETAILS
Arrival Details
This worm may arrive bundled with malware packages as a malware component.
Installation
This worm drops the following copies of itself into the affected system:
- %System%\windoxp.cmd
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.
It is a component of other malware.
Autostart Technique
The scheduled task executes the malware every:
- 1 minute from 7:43 for 24 hours every day, starting 11/21/2012
Other System Modifications
This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegistredOwner = "KUZC-R"
(Note: The default value data of the said registry entry is {random computer name}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
RegisteredOrganization = "Mexico (Veracruz)"
(Note: The default value data of the said registry entry is {random}.)
Propagation
This worm drops the following copies of itself in all physical and removable drives:
- {Drive Letter}\windoxp.cmd
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
shellexecute=windoxp.cmd
icon=icon.ico
Process Termination
This worm terminates the following processes if found running in the affected system's memory:
- Internet Explorer
- Mozilla Firefox
- MSN Messenger
- Task Manager
Other Details
This worm modifies the following registry entries to hide Hidden files:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "00000000"
(Note: The default value data of the said registry entry is 00000001.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "00000000"
(Note: The default value data of the said registry entry is 00000001.)