Worm:Win32/Autorun.MB is a worm that copies itself to mapped drives and allows remote access from an attacker. The worm can spread to other computers by exploiting a vulnerability that is present in computers that have not applied
Microsoft Security Bulletin MS02-045, a security update first published in 2002.
Installation
When run, this worm copies itself and additional malware as the following:
%windir%\system\wmibus.exe (or wmisync.exe)
The worm then executes the dropped worm copy.
Spreads Via…
Networked Computers
This worm can spread to other computers by exploiting a vulnerability that is present in computers that have not applied
Microsoft Security Bulletin MS02-045, a security update first published in 2002. The worm connects to networked computers using TCP port 445 and sends a malformed packet in an attempt to exploit the computer and infect it with a copy of the worm.
Logical & Mapped Drives
The worm will attempt to copy itself to logical and mapped network drives. In the wild this worm has been observed to copy itself as one of the following:
<drive:>\openfiles.exe
<drive:>\recycler\s-1-6-21-9432276501-9644491937-600003330-4500\autorun.exe
Win32/Autorun.MB writes an autorun configuration file named '<drive:>\autorun.inf' pointing to one of the files listed above. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically. The worm also creates a 'desktop.ini' configuration file to hide the extension of the worm copied to the drive.
Payload
Bypasses Windows Firewall
This worm adds a Windows Firewall policy to bypass the firewall and allow remote connections by modifying the registry as in the following example:
Adds value: "%windir%\system\wmisync.exe"
With data: = "%windir%\system\wmisync.exe:*:microsoft enabled"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
Connects to Remove Server to Receive Command Instructions
Worm:Win32/Autorun.MB may connect to a predefined remote IRC (Internet Relay Chat) server named 'sec.republicofskorea.info' using TCP port 8085 to receive command instructions from an attacker.
Opens Ports
The worm could open a high numbered TCP port (i.e. 32241) and UDP port 69 to await connections from a remote attacker.
Additional Information
Win32/Autorun.MB modifies the registry to increase the time to wait for a service to stop before Windows terminates a service (during Windows restart, shutdown or logoff):
Modifies value: "WaitToKillServiceTimeout"
With data: "7000"
In subkey: HKLM\SYSTEM\CurrentControlSet\Control
The registry may have the following additional modification as a result of infection by the worm:
Adds value: "GON"
With data: "<Win32/Autorun.MB executable>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Analysis by Jaime Wong
