WORM_HUPIGO.FT

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following files:

• %User Temp%\rs.bat
• %System%\svchost.ini

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System%\drivers\svchost.exe
• %System Root%\{random filename}.exe
• %Program Files%\Common Files\{random filename}.exe
• %Program Files%\Internet Explorer\Connection Wizard\{random filename}.exe
• %Program Files%\Windows Media Player\{random filename}.exe
• %Windows%\addins\{random filename}.exe
• %Windows%\system\{random filename}.exe
• %System%\dllcache\{random filename}.exe
• %System%\IME\{random filename}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
ImagePath = "%System%\drivers\svchost.exe"

(Note: The default value data of the said registry entry is %Systemroot%\system32\svchost.exe -k netsvcs.)

Other System Modifications

This worm modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Type = "110"

(Note: The default value data of the said registry entry is 20.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
ErrorControl = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Description = "??????? Windows ???????????,???????? Windows Update ????????"

(Note: The default value data of the said registry entry is Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site..)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Parameters

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=setup.exe
shellexecute=setup.exe
shell\Auto\command=setup.exe

Other Details

This worm deletes the initially executed copy of itself