Follow:

 

Worm:Win32/Autorun.BO


Worm:Win32/Autorun.BO is a worm that may drop a backdoor trojan (identified as Backdoor:Win32/Bifrose.gen!A) and connect with remote Web sites.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Autorun.BO is a worm that may drop a backdoor trojan (identified as Backdoor:Win32/Bifrose.gen!A) and connect with remote Web sites.
Installation
When this worm is run, may drop the following files:
%windir%\msmsgs.exe - copy of Worm:Win32/Autorun.BO
%windir%\debug\sysdeb.ini - configuration data file
 
Win32/Autorun.BO modifies the registry to execute its copy at each Windows start.
Adds value: "Windows Messenger"
With data: "%windir%\msmsgs.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 
The filename "msmsgs.exe" is identical to a Microsoft Internet chat application 'Windows Messenger'. The trojan file icon is also the same as that used by the real Messenger application.
Spreads Via…
Removable Drives
Win32/Autorun.BO monitors when a removable drive is mounted, and attempts to drop the following files to the newly connected device:
<drive:>\autorun.inf
<drive:>\RECYCLER\RECYCLER\autorun.exe
<drive:>\RECYCLER\RECYCLER\desktop.ini
 
The contents of the AUTORUN.INF file instruct the file AUTORUN.EXE to be executed with a parameter "autorun -autorun". The parameter "-autorun" will open a Windows Explorer window to the root of the removable drive.
 
The DESKTOP.INI configuration file instructs Windows to display the folder 'RECYCLER' as if it were actually a Recycle Bin.
Payload
Installs Additional Malware
The worm executes the dropped copy 'msmsgs.exe' and may drop the following file:
%TEMP%\windll.exe - this file is detected as Backdoor:Win32/Bifrose.gen!A
 
The dropped file is then executed, and it may drop a copy of itself as the following:
<system folder>\explorer.exe - this file is also detected as Backdoor:Win32/Bifrose.gen!A
 
The registry is modified to execute the dropped trojan at each Windows start.
Adds value: "stubpath"
With data: "<system folder>\explorer.exe s"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
 
Additional registry values and data may be created.
Adds value: "nck"
With data: "..`-´*3r£&w-´*3r"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wget
 
Adds value: "klg"
With data: "1"
To subkey: HKEY_CURRENT_USER\SOFTWARE\Wget
 
Win32/Autorun.BO may inject code into the now running trojan process 'explorer.exe'. The trojan (identified as Backdoor:Win32/Bifrose.gen!A) may attempt to contact the following remote sites using TCP port 80:
christophe.oicp.net
aliyilmaz.vicp.net
nakaambo.vicp.net
Additional Information
This worm may use a file icon resembling Windows Messenger:
 or  
 
Analysis by Cristian Craioveanu

Symptoms

System Changes
The following system changes may indicate the presence of Worm:Win32/Autorun.BO:
  • Presence of the following files:
    %windir%\msmsgs.exe
    %windir%\debug\sysdeb.ini
    %TEMP%\windll.exe
    <system folder>\explorer.exe
  • Presence of this registry value and data:
    Adds value: "Windows Messenger"
    With data: "%windir%\msmsgs.exe"
    To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • Presence of these registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
    HKEY_LOCAL_MACHINE\SOFTWARE\Wget
    HKEY_CURRENT_USER\SOFTWARE\Wget

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 26, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Backdoor:Win32/Bifrose.gen!A (other)
  • Win-Trojan/Dropper.229376 (AhnLab)
  • W32/Backdoor.BPOV (Command)
  • SHeuro.DHE (AVG)
  • Win32/Bifrost.BX (CA)
  • Worm.Autorun-522 (Clam AV)
  • Virus.Win32.AutoRun.ez (Kaspersky)
  • W32/CEP.worm (McAfee)
  • W32/AutoRun.OA (Norman)
  • W32.SillyFDC (Symantec)