arrow_back
search
close

WORM_OTORUN.XXQJ

June 06, 2015
 Modified by: Jennifer Gumban
 ALIASES:

Worm:Win32/Vobfus (Microsoft); W32/Refroso.AGEA!tr (Fortinet)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

159,744 bytes

File Type:

EXE

Initial Samples Received Date:

20 May 2015

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Profile%\{random filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • {drive letter}:\Games
  • {drive letter}:\Sexy

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name}.exe = "%User Profile%\{random file name}.exe /{random character}"

It drops the following files:

  • {random filename}.ico
  • x.mpeg

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoUpdate = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

The said .INF file contains the following strings:
{garbage characters}
[autorun]
action={random number}
{garbage characters}
open={random filename}.exe
{garbage characters}
useautoplay=1
{garbage characters}

NOTES:

It also uses the names of existing folders and names of files with the following extensions:

  • mp3
  • avi
  • wma
  • wmv
  • wav
  • mpg
  • mp4
  • doc
  • txt
  • pdf
  • xls
  • jpg
  • jpe
  • bmp
  • gif
  • tif
  • png

This malware drops .LNK files in removable drives that point to a copy of itself. This is done to trick users into clicking the shorcut files and execute the malware copy. These .LNK files use the following file names:

  • Secret Folder.lnk
  • Favourites.lnk
  • Private.lnk
  • Passwords.lnk
  • Movies.lnk
  • Music.lnk
  • Search.lnk
  • Pictures.lnk