WORM_AUTORUN.SPS

This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\c0n1me.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• system

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "%System%\c0n1me.exe"

Where {application name} may be any of the following:

• 360rpt.EXE
• 360safe.EXE
• 360tray.EXE
• ANTIARP.EXE
• AVP.EXE
• Ast.EXE
• AutoRunKiller.EXE
• AvMonitor.EXE
• CCenter.EXE
• Frameworkservice.EXE
• GFUpd.EXE
• GuardField.EXE
• IceSword.EXE
• Iparmor.EXE
• KASARP.EXE
• KRegEx.EXE
• KVMonxp.kxp
• KVSrvXP.EXE
• KVWSC.EXE
• Mmsk.EXE
• Navapsvc.EXE
• Nod32kui.EXE
• RAS.EXE
• Regedit.EXE
• Runiep.EXE
• VPC32.EXE
• VPTRAY.EXE
• WOPTILITIES.EXE
• Wuauclt.EXE
• ~.EXE

Propagation

This worm drops the following copy of itself in all physical and removable drives:

• MSDOS.PIF

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shell\open=´ò¿ª(&O)
shell\open\Command=MSDOS.PIF
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\command=MSDOS.PIF

Process Termination

This worm terminates the following services if found on the affected system:

• McShield
• KWhatchsvc
• KPfwSvc
• McAfee Framework
• Norton AntiVirus Server

It terminates the following processes if found running in the affected system's memory:

• VsTskMgr.exe
• Runiep.exe
• RAS.exe
• UpdaterUI.exe
• TBMon.exe
• KASARP.exe
• scan32.exe
• VPC32.exe
• VPTRAY.exe
• ANTIARP.exe
• KRegEx.exe
• KvXP.kxp
• kvsrvxp.kxp
• kvsrvxp.exe
• KVWSC.EXE
• Iparmor.exe
• 360rpt.EXE
• CCenter.EXE
• RAVMON.EXE
• RAVMOND.EXE
• GuardField.exe
• Ravxp.exe
• GFUpd.exe

Other Details

This worm attempts to access the following websites to download files, which are possibly malicious:

• http://{BLOCKED}n8.com/dd/1.exe
• http://{BLOCKED}n8.com/dd/10.exe
• http://{BLOCKED}n8.com/dd/11.exe
• http://{BLOCKED}n8.com/dd/12.exe
• http://{BLOCKED}n8.com/dd/13.exe
• http://{BLOCKED}n8.com/dd/14.exe
• http://{BLOCKED}n8.com/dd/15.exe
• http://{BLOCKED}n8.com/dd/16.exe
• http://{BLOCKED}n8.com/dd/17.exe
• http://{BLOCKED}n8.com/dd/2.exe
• http://{BLOCKED}n8.com/dd/3.exe
• http://{BLOCKED}n8.com/dd/4.exe
• http://{BLOCKED}n8.com/dd/5.exe
• http://{BLOCKED}n8.com/dd/6.exe
• http://{BLOCKED}n8.com/dd/7.exe
• http://{BLOCKED}n8.com/dd/8.exe
• http://{BLOCKED}n8.com/dd/9.exe
• http://{BLOCKED}n8.com/dd/ar.exe
• http://{BLOCKED}n8.com/dd/do.exe
• http://{BLOCKED}n8.com/dd/gz.exe
• http://{BLOCKED}n8.com/dd/self.gif

However, as of this writing, the said sites are inaccessible.

NOTES:

The dropped AUTORUN.INF is detected as MAL_OTORUN1.