WORM_AUTORUN.JMJ

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system. It executes commands from a remote malicious user, effectively compromising the affected system. However, as of this writing, the said sites are inaccessible.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

It retrieves specific information from the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %Windows%\System\dllcache.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• LxLXjediwarlordXLxL

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
netmon = "%Windows%\system\dllcache.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\System\ControlSet001\
Control\SafeBoot\Minimal\
dllcache

HKEY_LOCAL_MACHINE\System\ControlSet001\
Control\SafeBoot\Network\
dllcache

It adds the following registry entries:

HKEY_LOCAL_MACHINE\System\ControlSet001\
Control\SafeBoot\Minimal\
dllcache
(Default) = "Service"

HKEY_LOCAL_MACHINE\System\ControlSet001\
Control\SafeBoot\Network\
dllcache
(Default) = "Service"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• {Drive Letter}:\strongkey-rc1.3-build-208.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=strongkey-rc1.3-build-208.exe
action=Open folder to view files
shell\default=Open
shell\default\command=strongkey-rc1.3-build-208.exe
shell=default

Backdoor Routine

This worm opens a random port to allow a remote user to connect to the affected system. Once a successful connection is established, the remote user executes commands on the affected system.

It executes the following commands from a remote malicious user:

• Manage services
• Send time and date format
• Upload Files
• Manage Windows

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}arlord.com:4545

However, as of this writing, the said sites are inaccessible.

Dropping Routine

This worm drops the following files:

• %System%\drivers\sysdrv32.sys - detected as RTKT_TCPAGENT.W

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Information Theft

This worm retrieves the following information from the affected system:

• Computer name
• Local IP address
• OS version information
• Username

Other Details

This worm deletes the initially executed copy of itself