Worm:Win32/Autorun.PQ is a worm that spreads to other drives. This worm may terminate applications, change the access control lists (ACLs) of multiple files and download additional malware.
Installation
This worm may be installed when accessing an infected drive and the Autorun feature is enabled. When run, this worm disables Windows file protection for the following files so that it can overwrite them:
<system folder>\drivers\beep.sys
<system folder>\wuauclt.exe
<system folder>\dllcache\wuauclt.exe
The file 'wuauclt.exe' is the Windows application "Windows Update Auto-Update Client" that assists in updating the Windows operating system and components.
Next the worm copies itself as the following:
<system folder>\wuauclt.exe
<system folder>\dllcache\wuauclt.exe
The registry is modified to run the dropped worm copy at each Windows start.
Adds value: "explorer"
With data: "<system folder>\wuauclt.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Worm:Win32/Autorun.PQ drops a driver as '<system folder>\drivers\beep.sys' to protect the worm.
Spreads Via…
Removable Drives
This worm copies itself to the root of removable drives as 'bd.pif'. Worm:Win32/Autorun.PQ then writes an autorun configuration file named 'autorun.inf' pointing 'bd.pif'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Terminates processes
The worm attempts to terminate the following processes:
360rpt.EXE
360Safe.exe
360tray.exe
AntiArp.exe
Avp.EXE
CCenter.EXE
FrameworkService.exe
GFUpd.exe
GuardField.exe
Iparmor.exe
KASARP.exe
KAVPFW.EXE
kavstart.exe
kmailmon.exe
KPfwSvc
KRegEx.exe
kvsrvxp.exe
kvsrvxp.kxp
KVWSC.EXE
KvXP.kxpx
kwatch.exe
KWhatchsvc
McShield
nod32krn.exe
nod32kui.exe
Norton AntiVirus Server
RAv.exe
RAVMON.EXE
RAVMOND.EXE
RavStub.exe
Ravxp.exe
rfwmain.exe
rfwProxy.exe
rfwsrv.exe
rfwstub.exe
RSTray.exe
Runiep.exe
scan32.exe
sharedaccess
Symantec AntiVirus
Symantec AntiVirus Definition Watcher
Symantec AntiVirus Drivers Services
TBMon.exe
UpdaterUI.exe
VPC32.exe
VPTRAY.exe
VsTskMgr.exe
Changes ACL settings for multiple files and directories
In the wild, this worm was observed to invoke the Windows utility 'cacls.exe' to change stored ACLs for security applications running in memory and for the following directory allowing every user full control:
%ALLUSERPROFILE%
The environment variable %ALLUSERSPROFILE% commonly refers to one of the following folders:
Pre-Windows Vista: C:\Documents and Settings\All Users\
Windows Vista and above: C:\ProgramData\
Analysis by Neno Lakinski
