Worm:Win32/Renocide.gen!F is the detection for an AutoIt script that spreads itself to removable drives and network shares and downloads additional files from a remote server.
Installation
Worm:Win32/Renocide.gen!F copies itself as the following file with 'hidden', 'system' and 'read-only' attributes:
<system folder>\csrcs.exe
The registry is modified to run the worm copy at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "csrcs"
With data: "<system folder>\csrcs.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe csrcs.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "csrcs"
With data: "<system folder>\csrcs.exe"
Worm:Win32/Renocide.gen!F drops two obfuscated data files with 'hidden', 'system' and 'read-only' attributes as the following:
<system folder>\autorun.in
<system folder>\autorun.i
The files are used by the worm as backup copies of "autorun.inf" and to spread to removable and network drives.
Spreads via…
Removable drives and network shares
Worm:Win32/Renocide.gen!F spreads by copying itself to the root of all removable drives and network shares as a randomly named executable file, for example, hszhnu.exe, geehhd.exe, ysjzvi.exe, etc.
The worm then copies one of the following as an Autorun configuration file named "\autorun.inf" pointing to the worm copy:
<system folder>\autorun.in
<system folder>\autorun.i
When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Modify Windows Explorer settings
To hide itself from view, Worm:Win32/Renocide.gen!F modifies registry data that prevents the viewing of files with 'hidden' and 'system' attributes using Windows Explorer.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value:"Hidden"
With data: "2"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Adds value:"CheckedValue "
With data: "1"
Contacts a remote server
Worm:Win32/Renocide.gen!F attempts to connect with the domain "www.whatismyip.com" to identify the affected computer's IP address.
Additional Information
The worm may create the following registry data:
In subkey: HKLM\Software\Microsoft\DRM\amty
Adds value:"ilop"
With data: "1"
Analysis by Wei Li