Analysis by: Sabrina Lei Sioting
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 03 Aug 2011

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System Root%\RECYCLER\S-1-5-21-1027092746-4151678385-811904757-8524\MsMxEng.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following file(s)/component(s):

  • %System Root%\RECYCLER\S-1-5-21-1027092746-4151678385-811904757-8524\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\RECYCLER\S-1-5-21-1027092746-4151678385-811904757-8524

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\S-1-5-21-1027092746-4151678385-811904757-8524\MsMxEng.exe"

Propagation

This worm creates the following folders in all removable drives:

  • USBSEC

It drops the following copy(ies) of itself in all removable drives:

  • USBSEC\gtk.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage}
[autorun
;{garbage}
open=USBSEC/gtk.exe
;{garbage}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage}
action=Open folder to view files using Windows Explorer
;{garbage}
shell\open\\command=USBSEC/gtk.exe
;{garbage}
shell\\explore\command=USBSEC/gtk.exe
;{garbage}
useautoplay=1
;{garbage}