Worm:Win32/Autorun.CD is a worm that spreads via removable drives, instant messaging and e-mail, and changes the affected user's Internet Explorer Start page.
Installation
When executed, Worm:Win32/Autorun.CD copies itself to the following locations:
<system folder>\autochl.exe
<system folder>\sserver.exe
<system folder>\config\system.exe
<system folder>\config\system.sav
%windir%\temp\newdev.exe
<system folder>\lap.exe
<system folder>\dllcache\log.exe
It then makes a number of modifications to the registry. These modifications ensure that a copy of the worm is executed at each Windows logon, that AutoRun is enabled on removable drives and that users cannot select to show hidden files.
To key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: shell
With data: "Explorer.exe <system folder>\sserver.exe"
To key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Adds value: CheckedValue
With data: 0
To key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: NoDriveTypeAutoRun
With data: "145"
It also deletes the following entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vbw
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\2nt
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\system
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Worm:Win32/Autorun.CD replaces the content of the following files with <system folder>\config\system.sav (a copy of the worm):
- %windir%\regedit.exe
- <system folder>\taskmgr.exe
(Note: this will fail if the Task Manager is currently active)
The worm takes a number of additional actions to ensure that it remains active on the affected system. It runs a number of the copies of itself that it created earlier (see above for details) and then exits:
- <system folder>\autochl.exe - takes the same actions as the worm's original executable, but only loads %windir%\temp\newdev.exe and stays resident. The loaded copy, %windir%\temp\newdev.exe, takes the same actions as the original executable, but does not load any other processes, and stays resident.
- <system folder>\config\system.exe - takes the same actions as the worm's original executable, but does not load any other processes, and stays resident.
- %windir%\temp\newdev.exe - (this file is loaded twice, once by the original executable, and once by <system folder>\autochl.exe). This instance, loaded by the worm's original executable, takes the same actions as the worm's original executable, but dos not load any additional processes, and then exits
With three processes running concurrently, the worm is able to resurrect itself should one of the processes crash or terminate.
Spreads Via…
Removable Drives
The worm spreads on all removable devices by copying two files in the root of the attached drives:
- goback.exe (a copy of the worm)
- autorun.inf containing:
[autorun]
shellexecute=goback.exe
shell\explore\command=goback.exe
shell=explore
shell\open\command=goback.exe
shell=open
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
In each folder present on the removable drive, the worm adds a copy of itself with a file name that uses the following format:
- "crack <targeted folder name>.exe"
E-mail
Autorun.CD may spread via e-mail. It collects addresses to send itself to from the Personal Address Book. The e-mail it sends has the Subject "Subject: Send to All_love" and a copy of the worm as an attachment.
Instant Messaging
It also spreads by sending a message containing a link to the worm using Instant Messaging clients. The worm may send the following messages:
"Download no ve roi chay no: hxxp://www.freewebtown.com/********/mylove.exe"
"phan mem hay lam hxxp://www.freewebtown.com/********/mylove.exe"
Payload
Changes Start Page
Worm:Win32/Autorun.CD changes the user's Internet Explorer Start page to hxxp://goodluck.good.to.
Analysis by Cristian Craioveanu
