WORM_AUTORUN.FKI

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\Powerfile.exe
• %Application Data%\Powerfile.exe.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer = %Application Data%\PowerFile.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Firewall = %Application Data%\PowerFile.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Application Data%\\PowerFile.exe = %Application Data%\PowerFile.exe:*:Enabled:Messenger

Propagation

This worm drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

• n Local\Datos de programa\Ares\My Shared Folder\
• programfiles\eMule\Incoming

It drops the following copies of itself in all physical and removable drives:

• My Pictures.exe
• My Videos.exe
• XXX Files.exe
• setup.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=setup.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Abrir carpeta para ver archivos
shell\open=Abrir
shell\open\command=setup.exe
shell\open\default=1

Dropping Routine

This worm drops the following files:

• %User Temp%\archivo1.exe
• %User Temp%\{random}_appcompat.txt
• %User Temp%\{random}.dmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

HOSTS File Modification

This worm adds the following strings to the Windows HOSTS file:

• 127.0.0.1 avp.com
• 127.0.0.1 ca.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 f-secure.com
• 127.0.0.1 kaspersky.com
• 127.0.0.1 kaspersky-labs.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 mcafee.com
• 127.0.0.1 microsoft.com
• 127.0.0.1 my-etrust.com
• 127.0.0.1 nai.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 pandasoftware.com
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 secure.nai.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 sophos.com
• 127.0.0.1 symantec.com
• 127.0.0.1 trendmicro.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 update.symantec.com
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 viruslist.com
• 127.0.0.1 virustotal.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 www.grisoft.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 www.moneybookers.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 www.pandasoftware.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.virustotal.com
• 127.0.0.1 u20.eset.com
• 127.0.0.1 u21.eset.com
• 127.0.0.1 u22.eset.com
• 127.0.0.1 u23.eset.com
• 127.0.0.1 u24.eset.com
• 127.0.0.1 89.202.157.135
• 127.0.0.1 89.202.157.136
• 127.0.0.1 89.202.157.137
• 127.0.0.1 89.202.157.138
• 127.0.0.1 89.202.157.139
• 127.0.0.1 u30.eset.com
• 127.0.0.1 u31.eset.com
• 127.0.0.1 u32.eset.com
• 127.0.0.1 u33.eset.com
• 127.0.0.1 u34.eset.com
• 127.0.0.1 u35.eset.com
• 127.0.0.1 u36.eset.com
• 127.0.0.1 u37.eset.com
• 127.0.0.1 u38.eset.com
• 127.0.0.1 u39.eset.com
• 127.0.0.1 u40.eset.com
• 127.0.0.1 u41.eset.com
• 127.0.0.1 u42.eset.com
• 127.0.0.1 u43.eset.com
• 127.0.0.1 u44.eset.com
• 127.0.0.1 u45.eset.com
• 127.0.0.1 u46.eset.com
• 127.0.0.1 u47.eset.com
• 127.0.0.1 u48.eset.com
• 127.0.0.1 u49.eset.com

Other Details

Based on analysis of the codes, it has the following capabilities:

• It connects to the following IP address using port 83:
• 69.65.19.116

It does the following:

• It searches for folders in all physical and removable drives then drop copies of itself as {folder name}.exe. It then sets the attribute of the original folder to Read-Only, Hidden, and System to trick users into thinking that the dropped copy is the legitimate folder.