AUTORUN


 ALIASES:

Fujacks

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via network shares, Propagates via removable drives, Downloaded from the Internet, Dropped by other malware, Infects files


AUTORUN is a family of worms that propagates through physical, removable and network drives and leaves a file named AUTORUN.INF. This file is used to automatically execute the malware each time the infected drive is accessed.

Variants of AUTORUN are also capable of downloading other malware, compromising the affected computer's security by way of having backdoor routines, and disabling security related applications or services by way of process termination.

Some AUTORUN variants are known as FUJACKS. These variants are file infectors that spread using the same AUTORUN propagation methods, and it also infects certain file types as additional means of spreading.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Terminates processes

Installation

This worm drops the following files:

  • %System Root%\go.sys
  • %Program Files%\WinRAR\myrar.txt
  • {drive letter}:\autorun.inf

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops the following copies of itself into the affected system:

  • %System%\drivers\TXPlatform.exe
  • %System%\secpol.exe
  • %System%\wuauc1t.exe
  • %System%\SVSH0ST.EXE
  • %System%\c0n1me.exe
  • {drive letter}:\¡¡¡¡¡¡.exe
  • {drive letter}:\UFO.exe
  • {drive letter}:\ explorer.exe
  • {drive letter}:\niu.exe
  • {drive letter}:\MSDOS.PIF
  • {shared folder}\ Cool_GameSetup.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer = "%System%\drivers\TXPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%System%\SVSH0ST.EXE"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\secpol.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\xx931

It adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "ntsd -d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "%System%\c0n1me.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\xx931
Userinit = "%System%\userinit.exe,%System%\secpol.exe,"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
WindowsUpdate
DisableWindowsUpdateAccess = "1"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Control Panel
HomePage = "1"

It modifies the following registry entries:

HKEY_CLASSES_ROOT\HTTP\shell\
open\command
{default} = ""%Program Files%\InternetExplorer\iexplore.exe" -nohome"

(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
HTTP\shell\open\
command
{default} = ""%Program Files%\InternetExplorer\iexplore.exe" -nohome"

(Note: The default value data of the said registry entry is "%Program Files%\Internet Explorer\iexplore.exe" -nohome.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "80"

(Note: The default value data of the said registry entry is 91.)

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "3"

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_WSCSVC

Where {application name} may be any of the following:

  • 360Safe.exe
  • 360rpt.EXE
  • 360safe.EXE
  • 360tray.EXE
  • 360tray.exe
  • ANTIARP.EXE
  • AVP.EXE
  • AVP.exe
  • Ast.EXE
  • AutoRunKiller.EXE
  • AvMonitor.EXE
  • CCenter.EXE
  • CCenter.exe
  • Frameworkservice.EXE
  • GFUpd.EXE
  • GuardField.EXE
  • IceSword.EXE
  • Iparmor.EXE
  • KASARP.EXE
  • KRegEx.EXE
  • KVMonxp.kxp
  • KVSrvXP.EXE
  • KVWSC.EXE
  • Mmsk.EXE
  • Navapsvc.EXE
  • Nod32kui.EXE
  • RAS.EXE
  • RavMon.exe
  • RavMonD.exe
  • RavStub.exe
  • RavTask.exe
  • Regedit.EXE
  • Runiep.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • WOPTILITIES.EXE
  • Wuauclt.EXE
  • ~.EXE

Other Details

This worm connects to the following possibly malicious URL:

  • http://www.{BLOCKED}g08.com/down/down.txt
  • http://{BLOCKED}m.com/2005/p/21yjxm.com/1907/jp/logip.php
  • http://{BLOCKED}o.com.com/TJ.asp
  • http://{BLOCKED}o.com/xia.exe
  • http://{BLOCKED}o.com/wangma.exe
  • http://2.{BLOCKED}8.com/dd/1.exe
  • http://2.{BLOCKED}8.com/dd/10.exe
  • http://2.{BLOCKED}8.com/dd/11.exe
  • http://2.{BLOCKED}8.com/dd/12.exe
  • http://2.{BLOCKED}8.com/dd/13.exe
  • http://2.{BLOCKED}8.com/dd/14.exe
  • http://2.{BLOCKED}8.com/dd/15.exe
  • http://2.{BLOCKED}8.com/dd/16.exe
  • http://2.{BLOCKED}8.com/dd/17.exe
  • http://2.{BLOCKED}8.com/dd/2.exe
  • http://2.{BLOCKED}8.com/dd/3.exe
  • http://2.{BLOCKED}8.com/dd/4.exe
  • http://2.{BLOCKED}8.com/dd/5.exe
  • http://2.{BLOCKED}8.com/dd/6.exe
  • http://2.{BLOCKED}8.com/dd/7.exe
  • http://2.{BLOCKED}8.com/dd/8.exe
  • http://2.{BLOCKED}8.com/dd/9.exe
  • http://2.{BLOCKED}8.com/dd/ar.exe
  • http://2.{BLOCKED}8.com/dd/do.exe
  • http://2.{BLOCKED}8.com/dd/gz.exe
  • http://2.{BLOCKED}8.com/dd/self.gif