WORM_AUTORUN.GOE
VirTool:Win32/VBInject.AQ (Micorsoft); W32/Autorun.worm.fx (McAfee); Worm.Win32.AutoRun.fpc (Kaspersky)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
Installation
This worm drops the following files:
- %System Root%\RESTORE\{random SID}\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It drops the following copies of itself into the affected system:
- %System Root%\RESTORE\{random SID}\Ogard.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\RESTORE\{random SID}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}
StubPath = "%System Root%\RESTORE\{random SID}\Ogard.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- {removable drive letter}:\RESTORE\{random SID}\Ogard.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
open=RESTORE\{random SID}\Ogard.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RESTORE\{random SID}\Ogard.exe
shell\open\default=1
Other Details
This worm connects to the following possibly malicious URL:
- ogard.{BLOCKED}n.cc
- Ogard.{BLOCKED}rk.biz
- ogard.{BLOCKED}ils.net