Follow:

 

Worm:Win32/Folstart.A


Worm:Win32/Folstart.A is a worm that spreads through removable drives and modifies some system settings.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Folstart.A is a worm that spreads through removable drives and modifies some system settings.

Installation

Upon execution, Worm:Win32/Folstart.A creates a copy of itself as the following file:

    %APPDATA%\Start\update.exe

Copying the file to this location also enables it to execute at each Windows start.

Worm:Win32/Folstart.A also creates the following hidden folders:

  • %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
  • %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom
  • %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr

Worm:Win32/Folstart.A also uses a folder icon as its file icon:

Spreads Via...

Removable drives
Worm:Win32/Forstart.A queries the following registry entry to determine if any, and if so how many, USB devices are connected to the computer:

    HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum

If a USB device is found, the worm searches the drive for folders that may exist and copies itself to the drive using the same name as the folder, without an extension. For example, if the USB drive has a folder named "New Folder", then the worm copies itself in the USB drive as an executable named "New Folder", without an extension. In combination with using a folder icon as its file icon, the worm does this to mislead users into running its copy, thinking it is the folder.

It also creates the following hidden folders on the USB drive:

  • <drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
  • <drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr
Payload

Modifies system settings
Worm:Win32/Folstart modifies system settings by making a number of registry modifications.

  • Sets the following so that hidden files are not shown in Windows Explorer:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "Hidden"
    With data: "2"
  • Sets the following in order to hide file extensions when files are viewed using Windows Explorer:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Sets value: "HideFileExt"
    With data: "1"
  • Sets the following so that hidden operating system files are not displayed in Windows Explorer:
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Sets value: "ShowSuperHidden"
    With data: "0"

Analysis by Amir Fouda


Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %APPDATA%\Start\update.exe
  • The presence of the following file folders:
    %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
    %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom
    %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr

Prevention


Alert level: Severe
First detected by definition: 1.103.235.0
Latest detected by definition: 1.203.984.0 and higher
First detected on: Apr 21, 2011
This entry was first published on: Apr 21, 2011
This entry was updated on: Apr 27, 2011

This threat is also detected as:
  • Win32/Folstart.A (CA)
  • Worm.Win32.AutoRun.tic (Rising AV)
  • Rotinom (other)