Threat behavior
Worm:BAT/Autorun.B is part of a multi-component malware family that propagates by creating copies in drives found in the system.
Upon execution, Worm:BAT/Autorun.B copies the Windows file <system folder>\ipconfig.exe as <system folder>\schosv.exe. It does this likely as an infection marker.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then checks of the file <system folder>\winaudio0x.dll exists. If this DLL file exists, the worm terminates itself.
Worm:BAT/Autorun.B performs the following actions in an infinite loop:
- It drops the file autorun.inf, detected as Worm:BAT/Autorun.B!inf, into C:. If a file with the same name exists in this location, this worm verifies if it is its own version. If the INF file does not belong to this worm, it is deleted and replaced with the file detected as Worm:BAT/Autorun.B!inf.
- It then checks for the existence of drives E: to L:. For each drive that exists, it checks for the presence of the file autorun.inf. If this file exists, this worm replaces it with a copy of the file detected as Worm:BAT/Autorun.B!inf.
- It copies the file <system folder>\config\ntus.txt, if it exists, as C:\debian.exe with the hidden, system, and read-only attributes. This file is detected as Trojan:Win32/Agent.EI.
- It checks if the file E:\mstr.exe exists. If not, this worm copies the following files, if they exist, into drive E, with hidden, system, and read-only attributes:
- It then repeats the above process for drives G: to L:.
In essence, this worm's main function is to ensure that all components of this particular threat event are copied into drives E: and G: to L:.
Analysis by Marian Radu
Prevention
