Worm:Win32/Autorun.JN is a worm that spreads via removable drives, such as flash drives or portable hard disks. It attempts to connect to certain remote servers.
Installation
Worm:Win32/Autorun.JN drops itself with a random file name in a subfolder it creates in the Windows system folder. The subfolder it creates also has a random file name. It then runs itself.
For example, it drops a copy of itself in the created subfolder "<system folder>\38955c\cb05e3.exe".
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It drops a shortcut file to itself as "<startup folder>\<malware file>.lnk", for example, "<startup folder>\cb05e3.lnk".
Note - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It also modifies the system registry so that it runs every time Windows starts, for example:
Adds value: CB05E3
With data: <system folder>\38955c\cb05e3.exe
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spreads Via...
Removable Drives
Worm:Win32/Autorun.JN spreads via removable drives. It drops the following files in the root of the removable drive:
- recycled.exe - has the hidden attribute; copy of this worm
- autorun.inf - also has the hidden attribute; detected as Worm:Win32/Autorun.JN!inf and is used by the worm to automatically run when the drive is accessed and Autorun is enabled
- <existing folder>.exe - copy of this worm; <existing folder> is a folder that currently exists in the removable drive; this worm uses the folder icon and, when run manually by a user, attempts to open <existing folder> to avoid arousing suspicion in users
Payload
Connects to Remote Servers
Worm:Win32/Autorun.JN attempts to connect to the following remote servers:
- x-66.cn
- x-77.cn
- fafa6.com
Additional Information
Worm:Win32/Autorun.JN is written using the EPL programming language, and drops the following runtime libraries in "%temp%\e_n4" and "<system folder>\<random subfolder>":
- krnln.fnr
- htmlview.fne
- internet.fne
- eapi.fne
- shell.fne
- dp1.fne
- spec.fne
Analysis by Marian Radu
