Worm:Win32/Doyoink.A is a worm that spreads via removable drives and attempts to restart the computer when the affected user opens a command prompt.
Installation
When the worm is first executed, it displays the following message window:
The worm creates the following files with file attributes 'read-only', 'system' and 'hidden', in the Windows folder:
- %windir%\Auto.exe - copy of the worm
- %windir%\pc-off.bat - batch script, used by worm to restart computer
The registry is modified to run the worm at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "userinit.exe <Win32/Doyoink.A executable>"
Note: <Win32/Doyoink.A executable> refers to the name of the worm copy that is running. The worm creates the following registry data as a marker to identify if the worm is already installed.
In subkey: HKCU\Software\DONARD
Sets value: “”
With data: "<Yahoo! email address, account 'donardsinay'>"
Spreads via…
Removable drives
The worm drops a copy of itself to any removable drive that is not assigned letters "a:" or "b:" as the following:
<drive:>\Auto.exe
The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modifies system settings
The worm modifies registry data to prevent displaying files with 'hidden' attributes in Windows Explorer.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
Sets value: "ShowSuperHidden"
With data: "0"
Sets value: "HideFileExt"
With data: "1"
Restarts Windows
The worm modifies the registry to run a previously dropped batch script "pc-off.bat" if the affected user attempts to open a command prompt.
In subkey: HKCU\Software\Microsoft\Command Processor
Sets value: "autorun"
With data: "%windows%\pc-off.bat"
The batch script restarts Windows.
Analysis by Michael Johnson
