WORM_AUTORUN.SLRG
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system:
- %Application Data%\Paint.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Update = "{malware path and filename}.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Update = "{malware path and filename}.exe"
It drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:
- %User Startup%\Paint.lnk
(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)
Propagation
This worm drops copies of itself in the following drives:
- {Drive Letter}:\Paint
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
OPEN=Paint
icon=%SystemRoot%\system32\SHELL32.dll,4
open=Open
shell\open\command=Paint
NOTES:
It searches for all *.EXE files on all drives connected to the affected system.
It renames the targeted file to:
- v{original filename}.exe (e.g. Calc.exe to vCalc.exe)
It replaces the file attribute of the renamed file to Hidden.
The malware then drop a copy of itself using the original filename of the target file.
It then retrieves the icon file from the renamed target file and updates its copy with the said icon.