Worm:Win32/Renocide.V is a worm that copies itself to removable drives and network shares as a randomly named file, and may communicate with remote servers.
Installation
When run, this worm drops the following files:
-
<system folder>\csrcs.exe - copy of Worm:Win32/Renocide.V
-
<system folder>\autorun.inf - autorun configuration file, detected as VirTool:INF/Autorun.gen!P
-
%temp%\suicide.bat - batch script used to delete the initial copy of the worm after execution
The registry is modified to run the worm copy at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "csrcs"
With data: "<system folder>\csrcs.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe csrcs.exe"
*The original data value is "explorer.exe"
Spreads via…
Removable drives and network shares
This worm attempts to copy itself to available removable drives and network shares as a randomly named file, such as:
\uttmhf.exe
The worm then writes an Autorun configuration file named "\autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Changes Windows settings
This worm modifies registry data to change how hidden files are viewed.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
Communicates with remote servers
This worm communicates with the following remote servers to identify the IP address of the infected computer and may attempt to download arbitrary files:
mosceyxh.dip.jp
www.whatismyip.com
checkip.dyndns.org
flix.flufi403ss.com
utic.c0afdone.com
Additional information
The worm creates additional registry data.
In subkey: HKLM\Software\Microsoft\DRM\amty
Sets value: "ilop"
With data: "1"
Analysis by Tim Liu