WORM_AUTORUN
Fujacks
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
AUTORUN is a family of worms that propagates through physical, removable and network drives and leaves a file named AUTORUN.INF. This file is used to automatically execute the malware each time the infected drive is accessed.
Variants of AUTORUN are also capable of downloading other malware, compromising the affected computer's security by way of having backdoor routines, and disabling security related applications or services by way of process termination.
Some AUTORUN variants are known as FUJACKS. These variants are file infectors that spread using the same AUTORUN propagation methods, and it also infects certain file types as additional means of spreading.
TECHNICAL DETAILS
Installation
This worm drops the following files:
- %System Root%\go.sys
- %Program Files%\WinRAR\myrar.txt
- {drive letter}:\autorun.inf
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It drops the following copies of itself into the affected system:
- %System%\drivers\TXPlatform.exe
- %System%\secpol.exe
- %System%\wuauc1t.exe
- %System%\SVSH0ST.EXE
- %System%\c0n1me.exe
- {drive letter}:\¡¡¡¡¡¡.exe
- {drive letter}:\UFO.exe
- {drive letter}:\ explorer.exe
- {drive letter}:\niu.exe
- {drive letter}:\MSDOS.PIF
- {shared folder}\ Cool_GameSetup.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer = "%System%\drivers\TXPlatform.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%System%\SVSH0ST.EXE"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\secpol.exe,"
(Note: The default value data of the said registry entry is %System%\userinit.exe,.)
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\xx931
It adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "%System%\c0n1me.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\xx931
Userinit = "%System%\userinit.exe,%System%\secpol.exe,"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
WindowsUpdate
DisableWindowsUpdateAccess = "1"
HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Control Panel
HomePage = "1"
It modifies the following registry entries:
HKEY_CLASSES_ROOT\HTTP\shell\
open\command
{default} = ""%Program Files%\InternetExplorer\iexplore.exe" -nohome"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HTTP\shell\open\
command
{default} = ""%Program Files%\InternetExplorer\iexplore.exe" -nohome"
(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "80"
(Note: The default value data of the said registry entry is 91.)
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "3"
(Note: The default value data of the said registry entry is 1.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WSCSVC
Where {application name} may be any of the following:
- 360Safe.exe
- 360rpt.EXE
- 360safe.EXE
- 360tray.EXE
- 360tray.exe
- ANTIARP.EXE
- AVP.EXE
- AVP.exe
- Ast.EXE
- AutoRunKiller.EXE
- AvMonitor.EXE
- CCenter.EXE
- CCenter.exe
- Frameworkservice.EXE
- GFUpd.EXE
- GuardField.EXE
- IceSword.EXE
- Iparmor.EXE
- KASARP.EXE
- KRegEx.EXE
- KVMonxp.kxp
- KVSrvXP.EXE
- KVWSC.EXE
- Mmsk.EXE
- Navapsvc.EXE
- Nod32kui.EXE
- RAS.EXE
- RavMon.exe
- RavMonD.exe
- RavStub.exe
- RavTask.exe
- Regedit.EXE
- Runiep.EXE
- VPC32.EXE
- VPTRAY.EXE
- WOPTILITIES.EXE
- Wuauclt.EXE
- ~.EXE
Other Details
This worm connects to the following possibly malicious URL:
- http://www.{BLOCKED}g08.com/down/down.txt
- http://{BLOCKED}m.com/2005/p/21yjxm.com/1907/jp/logip.php
- http://{BLOCKED}o.com.com/TJ.asp
- http://{BLOCKED}o.com/xia.exe
- http://{BLOCKED}o.com/wangma.exe
- http://2.{BLOCKED}8.com/dd/1.exe
- http://2.{BLOCKED}8.com/dd/10.exe
- http://2.{BLOCKED}8.com/dd/11.exe
- http://2.{BLOCKED}8.com/dd/12.exe
- http://2.{BLOCKED}8.com/dd/13.exe
- http://2.{BLOCKED}8.com/dd/14.exe
- http://2.{BLOCKED}8.com/dd/15.exe
- http://2.{BLOCKED}8.com/dd/16.exe
- http://2.{BLOCKED}8.com/dd/17.exe
- http://2.{BLOCKED}8.com/dd/2.exe
- http://2.{BLOCKED}8.com/dd/3.exe
- http://2.{BLOCKED}8.com/dd/4.exe
- http://2.{BLOCKED}8.com/dd/5.exe
- http://2.{BLOCKED}8.com/dd/6.exe
- http://2.{BLOCKED}8.com/dd/7.exe
- http://2.{BLOCKED}8.com/dd/8.exe
- http://2.{BLOCKED}8.com/dd/9.exe
- http://2.{BLOCKED}8.com/dd/ar.exe
- http://2.{BLOCKED}8.com/dd/do.exe
- http://2.{BLOCKED}8.com/dd/gz.exe
- http://2.{BLOCKED}8.com/dd/self.gif