WORM_AGENT.STO
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives by connecting affected removable drives to a system.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It deletes the initially executed copy of itself.
TECHNICAL DETAILS
Arrival Details
This worm arrives by connecting affected removable drives to a system.
Installation
This worm drops the following copies of itself into the affected system:
- %System Root%\autorun.pif
- %Windows%\svchost.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
Service = "TrkNetsSvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
DeviceDesc = "Distributed Link Tracking Servers"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000\Control
ActiveService = "TrkNetsSvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
ImagePath = "%Windows%\svchost.exe -netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
DisplayName = "Distributed Link Tracking Servers"
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\TrkNetsSvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_TRKNETSSVCS\
0000
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%WINDOWS%\svchost.exe = "%WINDOWS%\svchost.exe:*:Enabled:svchost.exe"
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- autorun.pif
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
open=autorun.pif
shell\1=´ò¿ª(&O)
shell\1\Command=autorun.pif
shell\2\=ä¯ÀÀ(&B)
shell\2\Command=autorun.pif
shellexecute=autorun.pif
Other Details
This worm deletes the initially executed copy of itself