Worm:Win32/Autorun.XK is a worm that spreads via removable drives. The worm also gathers system information and sends it to a remote attacker.
Installation
When executed, the worm copies itself to the system directory using one of the following names:
- ctfuon.exe
- csrcs.exe
- <6 random letters>.exe
where <6 random letters> can be any string of letters, for example:
- zjbeyh.exe
- bnbhqy.exe
- bddiwv.exe
When executed, the worm modifies the registry in order to execute at Windows start:
Adds value: "<name>"
With data: "<system>\<name>.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<name>"
With data: "<system>\<name>.exe"
To subkey:HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Adds value: "<name>="
With data: "<system>\<name>.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Note: "<name>" refers to the name of the file, without the extension. For example:
Adds value: "zjbeyh"
With data: "<system>\zjbeyh.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via…
Removable drives
Worm:Win32/Autorun.XK copies itself to removable drives using the filename csrcs.exe. Worm:Win32/Autorun.XK then writes an autorun configuration file named 'autorun.inf' pointing its copy. When the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Payload
Modifies system security settings
The following registry is modified in order to add the worm to the list of applications authorized to bypass the Firewall to access the Internet.
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Terminates processes
The worm attempts to terminate the following processes:
TeaTimer.exe
cmd.exe
net.exe
Obtains system information
Worm:Win32/Autorun.XK attempts to obtain various system information, then send it to a remote attacker.
The worm may attempt to contact the following remote hosts:
http://www.whatismyip.com
http://checkip.dyndns.org
http://www.whatismyip.com
http://wre.extasix.com
http://geoloc.daiguo.com
Additional information
From our observations, the worm did not appear to function as it intended.
Worm:Win32/Autorun.XK creates the following key for own purposes:
HKLM\Software\Microsoft\DRM\amty
Analysis by Matt McCormack
