Analysis by: Rhena Inocencio
ALIASES:

Worm:Win32/Renocide.gen!G (Microsoft), Worm.Win32.AutoIt.aez (Kaspersky), W32.Harakit (ESET), W32/Sohana-DL (Sophos)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Via physical/removable drives, Downloaded from the Internet, Dropped by other malware, Propagates via removable drives

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 761,889 bytes
File Type: EXE
File Compression: AutoIt
Memory Resident: Yes
Initial Samples Received Date: 05 Mar 2013
Payload: Connects to URLs/IPs, Collects system information, Compromises system security, Downloads files

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %System%\csrcs.exe
  • %System%\{random number}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following files:

  • %System%\autorun.inf

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following non-malicious files:

  • %User Temp%\suicide.bat - used to delete the initially executed copy. It deletes itself after successfully deleting the malware's initial copy
  • {drive letter}:\{random filename} - empty file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
csrcs = "%System%\csrcs.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe csrcs.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
dreg = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
exp1 = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix1 = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
ilop = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\{random filename}.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[AuTOrUn
;{garbage characters}
open={random filename}.exe
;{garbage characters}
shell\open\Command={random filename}.exe
;{garbage characters}
shell\open\Default=1
;{garbage characters}

Backdoor Routine

This worm executes the following commands from a remote malicious user:

  • Download and execute files
  • Manage files
  • List active window titles
  • List and terminate processes
  • Query and manipulate registries
  • Scan for IP addresses within the network
  • Update copy of itself

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}d.{BLOCKED}ster.com:5400/banner.gif
  • http://{BLOCKED}rz.hm:4580/banner.gif
  • http://{BLOCKED}u.{BLOCKED}atama.com:4700/banner.gif
  • http://{BLOCKED}d.{BLOCKED}ster.com:5400/po.php
  • http://{BLOCKED}.{BLOCKED}.19.236:4700/fruits.htm

Information Theft

This worm gathers the following data:

  • IP address
  • Language
  • Computer information
  • OS information
  • User information
  • Drive Information

Other Details

This worm connects to the following URL(s) to check for an Internet connection:

  • http://www.doctorshadow.com

It connects to the following URL(s) to get the affected system's IP address:

  • http://checkip.dyndns.org
  • http://www.whatismyip.com/automation/n09230945.asp

It deletes the initially executed copy of itself

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 9.768.02
FIRST VSAPI PATTERN DATE: 05 Mar 2013
VSAPI OPR PATTERN File: 9.769.00
VSAPI OPR PATTERN Date: 06 Mar 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Since this malware cannot be removed in normal and safe mode, it is necessary to restart using the Windows Recovery Console. To restart the system using the Windows Recovery Console:

• On Windows XP and Server 2003 systems:

  1. Click Start>Run. In the Open input box, type secpol.msc and press Enter.
  2. In the left panel, double-click Local Policies>Security Options.
  3. In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
  4. Select Enabled and click OK.
  5. Insert the Windows Installation CD into the CD drive, then restart your computer.
  6. When prompted, press any key to boot from the CD.
  7. On the main menu, type r to go to the Recovery Console.
  8. Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
  9. Type the Administrator password and press Enter.
  10. In the input box, type the following then press Enter:
    SET AllowAllPaths = TRUE
DATA_GENERIC
  • Type exit and press Enter to restart the system normally.

    • • On Windows Vista and 7 systems:

    1. Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
    2. When prompted, press any key to boot from the DVD.
    3. Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
    4. Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
    5. If the Startup Repair window appears, click Cancel, Yes, then Finish.
    6. In the System Recovery Options window, click Command Prompt.
    7. In the Command Prompt window, type the following then press Enter:
      DATA_GENERIC
      (Note: In Windows 7, all local drives will be assigned one more than normal. For example, the C: drive becomes D:.)
    8. Type exit and press Enter to close the Command Prompt window.
    9. Click Restart to restart the system normally.

    Step 3

    Delete this registry key

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM
      • amty

    Step 4

    Delete this registry value

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
      • csrcs = "%System%\csrcs.exe"
    • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
      • GlobalUserOffline = "0"

    Step 5

    Restore these modified registry values

    [ Learn More ]

    Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
      • From: Shell = "Explorer.exe csrcs.exe"
        To: Shell = "Explorer.exe"
    • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • From: SuperHidden = "0"
        To: SuperHidden = "1
    • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • From: ShowSuperHidden = "0"
        To: ShowSuperHidden = "1"
    • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • From: Hidden = "2"
        To: Hidden = "1"

    Step 6

    Search and delete AUTORUN.INF files created by WORM_OTOIT.DCS that contain these strings

    [ Learn More ]
     ;{garbage characters}
    [AuTOrUn
    ;{garbage characters}
    open={random filename}.exe
    ;{garbage characters}
    shell\open\Command={random filename}.exe
    ;{garbage characters}
    shell\open\Default=1
    ;{garbage characters}

    Step 7

    Search and delete this file

    [ Learn More ]

    There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
    • {drive letter}:\{random filename}

    Step 8

    Scan your computer with your Trend Micro product to delete files detected as WORM_OTOIT.DCS If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.