Worm:Win32/Autorun.WT is a worm that disables certain Windows utilities and spreads via removable and network drives.
Installation
When executed, Worm:Win32/Autorun.WT creates the following folder(s):
-
C:\Program Files\Windows Alerter
-
C:\Program Files\Windows Common Files
-
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003
It then drops the copy of itself as the following files with file attributes as 'Hidden' and 'System':
The worm uses social engineering by setting the file icon for the above dropped files as a standard file folder. The worm modifies registry data to run the dropped worm copies at Windows start.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WindowMessenger"
To data: "c:\recycler\x-1-5-21-1960408961-725345543-839522115-1003\winsysapp.exe"
Sets value: "Windows Alerter"
To data: "C:\Program Files\Windows Alerter\WinAlert.exe"
Sets value: "Windows Common Files Manager"
To data: "C:\Program Files\Windows Common Files\Commgr.exe"
Spreads via…
Removable drives
Worm:Win32/Autorun.WT spreads itself to removable and network drives by dropping a copy of itself as the following:
<drive:>\RECYCLER\{random file name}.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modifies Windows Explorer settings
Worm:Win32/Autorun.WT modifies registry data to block the viewing of files with hidden and system file attributes, if if the option is enabled in Windows Explorer.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
To data: "2"
Sets value: "HideFileExt"
To data: "1"
Sets value: "ShowSuperHidden"
To data: "0"
Sets value: "SuperHidden"
To data: "0"
Terminate processes
This worm may terminate the following processes, if found running in memory:
-
taskmgr.exe - Windows Task Manager
-
regedit.exe - Windows Registry Editor
-
cmd.exe - Windows command prompt
Analysis by Wei Li
