WORM_UTOTI


 ALIASES:

Renocide, Autoit, Imaut, Harakit, AutoRun, Otran

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Downloaded from the Internet


UTOTI malware is known to spread to computers via removable drives. Its name is a derivative of the AutoIt compiler that is used in its variants.

This family of worms has backdoor routines. It connects to its C&C server to receive commands from its operators. Some of the commands it performs on the machine it infects are:

  • Copy files

  • Delete files

  • Download files

  • List MSN Live contacts

  • List and terminate processes

  • Scan for IP addresses within the network

  TECHNICAL DETAILS

Payload:

Compromises system security

Installation

This worm drops the following files:

  • %System Root%\khq
  • %System%\autorun.inf
  • %System%\cftm.exe
  • %User Temp%\suicide.bat
  • {drive letter}:\khq
  • {drive letter}\autorun.inf

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System%\7883290.exe
  • %System%\csrcs.exe
  • {drive letter}\{random}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe csrcs.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
dreg = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
eggol = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
exp1 = "{hex values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
fix1 = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
ilop = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DRM\amty
regexp = "{numbers}"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is 1.)

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.19.236:7358/xDIUYSDFIGU876SXCGHSD54G6SD.php
  • http://{BLOCKED}.{BLOCKED}.19.236:88/xxxxxFD65456DF4Y9876554DFH34DF654H64RY897.php
  • http://{BLOCKED}.{BLOCKED}.19.237:4900/xx76ZXC86ASDRTUT5234SDG8635.php
  • http://{BLOCKED}.{BLOCKED}.19.237:5200/536314S17IY17XX8613NWFRNASRS/Q(999).da
  • http://{BLOCKED}.{BLOCKED}.19.238:4600/xDIUYSDFIGU876SXCGHSD54G6SD.php
  • http://{BLOCKED}.{BLOCKED}.19.238:4800/526314O17CV17RQ274YOEGXMXJW/Q(996).da
  • http://{BLOCKED}.{BLOCKED}.19.238:5300/xxxxxFD65456DF4Y9876554DFH34DF654H64RY897.php
  • http://{BLOCKED}.{BLOCKED}.19.238:5400/527914L17MQ17YV8420ENMWXGVPZ/Q(995).da
  • http://cccp.{BLOCKED}m.cx:9348/fm.htm
  • http://geo.{BLOCKED}q.com:6854/yuyo.php
  • http://{BLOCKED}s.dip.jp:6854/pro.gif
  • http://{BLOCKED}s.dip.jp:6854/yuyal.php
  • http://{BLOCKED}t.com/torrents/?iht=4&ihs1=2&age=0
  • http://kiu.{BLOCKED}atama.com:49213/fem.gif
  • http://star.{BLOCKED}atama.com/yuyo.php
  • http://{BLOCKED}bay.org/top/300
  • http://{BLOCKED}bay.se/top/300