WORM_AUTORUN.BWK

 Modified by: Adrianne Chester Camat

 ALIASES:

Worm:Win32/Yuner.A (Microsoft); W32/YahLover.worm (McAfee); W32.Badday.A (Symantec); Worm.Win32.AutoIt.r (Kaspersky); Trojan.Win32.Generic!BT (Sunbelt); Worm:W32/AutoIt.gen!A (FSecure)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives


This worm arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It disables Task Manager, Registry Editor, and Folder Options.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

09 Nov 2009

Payload:

Terminates processes

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\{first random characters}.exe
  • %System%\{second random characters}.exe
  • %System%\{third random characters}.exe
  • %System%\{fourth random characters}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{first random characters} = {first random characters}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{second random characters} = {second random characters}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{third random characters} = {third random characters}.exe

Other System Modifications

This worm deletes the following folders:

  • %Program Files%\Kaspersky Internet Security 6.0
  • %Program Files%\Kaspersky Anti-Virus 7.0
  • %Program Files%\Grisoft
  • %Program Files%\Avira
  • %Program Files%\Alwil Software
  • %Program Files%\Accessories\System Tools
  • %Program Files%\Accessories\Paint

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
Com1 = "{firs random characters}"

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
Com2 = "{second random characters}"

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
Com3 = "{third random characters}"

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
Com4 = "{fourth random characters}"

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
StartCom1 = "{first random character}"

HKEY_LOCAL_MACHINE\Software\Classes\
CLV.Classes
StartCom2 = "{second random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
ShowAll
CheckedValue = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "145"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCDisable = "-99"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\ComputerName\ComputerName
ComputerName = "VirusBenci"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Hostname = "VirusBenci"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
NV Hostname = "VirusBenci"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
FirstRunDisabled = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
Com1 = "{first random characters}"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
Com2 = "{second random characters}"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
Com3 = "{third random characters}"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
Com4 = "{fourth random characters}"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
StartCom1 = "{first random characters}"

HKEY_CLASSES_ROOT\Software\Classes\
CLV.Classes
StartCom2 = "{second random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCScan = "0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "91"

(Note: The default value data of the said registry entry is 91.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCDisable = "ffffff9d"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\ComputerName\ComputerName
ComputerName = "VirusBenci"

(Note: The default value data of the said registry entry is USER00-A898EA5B.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
Hostname = "VirusBenci"

(Note: The default value data of the said registry entry is user00-a898ea5b.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Tcpip\Parameters
NV Hostname = "VirusBenci"

(Note: The default value data of the said registry entry is user00-a898ea5b.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirstRunDisabled = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"

HKEY_CLASSES_ROOT\.bat
{default value} = "txtfile"

(Note: The default value data of the said registry entry is batfile.)

HKEY_CLASSES_ROOT\.wsh
{default value} = "txtfile"

(Note: The default value data of the said registry entry is WSHFile.)

HKEY_CLASSES_ROOT\.wsc
{default value} = "txtfile"

(Note: The default value data of the said registry entry is WSCFile.)

HKEY_CLASSES_ROOT\.wsf
{default value} = "txtfile"

(Note: The default value data of the said registry entry is WSFFile.)

HKEY_CLASSES_ROOT\.reg
{default value} = "txtfile"

(Note: The default value data of the said registry entry is regfile.)

HKEY_CLASSES_ROOT\.vbs
{default value} = "txtfile"

(Note: The default value data of the said registry entry is VBSFile.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AVP =

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\HideFileExt

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • avp.exe
  • avgcc.exe
  • avgnt.exe
  • ashDisp.exe
  • cmd.exe

Dropping Routine

This worm drops the following files:

  • %System%\pckhar.exe
  • a:\Word.exe
  • %User Profile%\Templates\winword.doc.exe
  • %User Profile%\Templates\winword2.doc.exe
  • %System%\config\systemprofile\Templates\winword.doc.exe
  • %System%\config\systemprofile\Templates\winword2.doc.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other Details

This worm closes application windows that contain the following strings in the title bar:

  • Kaspersky
  • Anti
  • terminate
  • quarantine
  • protected
  • spy
  • bitdefender
  • nod32
  • print
  • Hex
  • Hack
  • agree
  • guard
  • khar
  • firewall
  • system
  • policy
  • paint
  • antivirus
  • scan
  • update
  • clean
  • autorun
  • emergency
  • print
  • removal
  • tuneup
  • suspend
  • zonealarm
  • Symantec
  • McAfee
  • remove
  • Norton
  • Avast
  • Panda
  • Run
  • system
  • Virus
  • install
  • process
  • setup
  • hijack
  • search
  • kill
  • Task

NOTES:

This worm deletes the following folders:

  • %ProgramFiles%\Grisoft
  • %ProgramFiles%\Avira
  • %ProgramFiles%\Alwil Software

If it fails to delete the aforementioned folders, it attempts to rename them to the following:

  • %ProgramFiles%\Grisoft-=sux=-
  • %ProgramFiles%\Avira-=sux=-
  • %ProgramFiles%\Alwil Software-=sux=-

It searches for all .DOC files in all folders in all drives and renames them to {document file name}.nal and change its attribute to hidden. It then drops a copy of itself as {document file name}.exe to ensure startup of this worm each time the user opens a document file.

It sets the title of every opened notepad to the following:

HeY_BuDdY!!!!!i'm NoT YouR Bro

This worm renames the following files:

  • %System%\msvbvm50.dll to %System%\msvbvm50.{random number}
  • %System%\msvbvm60.dll to %System%\msvbvm60.{random number}

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

6.616.02

FIRST VSAPI PATTERN DATE:

10 Nov 2009

VSAPI OPR PATTERN File:

6.617.00

VSAPI OPR PATTERN Date:

10 Nov 2009

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT\.bat
    • From: @ = "txtfile"
      To: @ = batfile
  • In HKEY_CLASSES_ROOT\.reg
    • From: @ = "txtfile"
      To: @ = regfile
  • In HKEY_CLASSES_ROOT\.vbs
    • From: @ = "txtfile"
      To: @ = VBSFile
  • In HKEY_CLASSES_ROOT\.wsc
    • From: @ = "txtfile"
      To: @ = scriptletfile
  • In HKEY_CLASSES_ROOT\.WSF
    • From: @ = "txtfile"
      To: @ = WSFFile
  • In HKEY_CLASSES_ROOT\.WSH
    • From: @ = "txtfile"
      To: @ = WSHFile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat
    • From: @ = "txtfile"
      To: @ = batfile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.reg
    • From: @ = "txtfile"
      To: @ = regfile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vbs
    • From: @ = "txtfile"
      To: @ = VBSFile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.wsc
    • From: @ = "txtfile"
      To: @ = scriptletfile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WSF
    • From: @ = "txtfile"
      To: @ = WSFFile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.WSH
    • From: @ = "txtfile"
      To: @ = WSHFile
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: SFCDisable = "ffffff9d"
      To: SFCDisable = 00000000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
    • From: ComputerName = "VirusBenci"
      To: ComputerName = {Preferred computername}

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • NoDriveTypeAutoRun = 145
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • SFCDisable = -99
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • Hostname = VirusBenci
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    • NV Hostname = VirusBenci
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • AntiVirusDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • FirewallDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • UpdatesDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • FirstRunDisabled = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • AntiVirusOverride = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
    • FirewallOverride = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {first random characters} = {first random characters}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {second random characters} = {second random characters}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {third random characters} = {third random characters}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • SFCScan = 0
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • Com1 = {first random characters}
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • Com2 = {second random characters}
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • Com3 = {third random characters}
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • Com4 = {fourth random characters}
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • StartCom1 = {first random character}
  • In HKEY_LOCAL_MACHINE\Software\Classes\CLV.Classes
    • StartCom2 = {second random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • Com1 = {first random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • Com2 = {second random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • Com3 = {third random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • Com4 = {fourth random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • StartCom1 = {first random characters}
  • In HKEY_CLASSES_ROOT\Software\Classes\CLV.Classes
    • StartCom2 = {second random characters}

Step 4

Search and delete the files detected as WORM_AUTORUN.BWK

*Note: Some component files may be hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.

To stop the malware/grayware from running when certain files are opened:

For Windows 2000, Windows XP, and Windows Server 2003:

  1. Right-click Start then click Search....
  2. In the Named input box, type the name of the file that was detected earlier.
  3. In the Look In drop-down list, select My Computer then press Enter.
  4. Once located, select the file then press SHIFT+DELETE to delete it.

For Windows Vista and Windows 7:

  1. Click Start>Computer.
  2. In the Search Computer input box, type the name of the file detected earlier, and press Enter.
  3. Once located, select the file then press SHIFT+DELETE to delete it.
    *Note: Read the following Microsoft page if these steps do not work on Windows 7.

Step 5

Scan your computer with your Trend Micro product to delete files detected as WORM_AUTORUN.BWK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Do the following after Step 1:

  1. Use Trend Micro Rescue Disk to terminate and delete this malware.
  2. Click Start>Run. In the space, copy and paste the following, then press Enter:
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Do the following after Step 2:

Restore Safe Boot Registry Settings

To restore safe boot registry settings:

  1. Open a text editor like Notepad.
  2. Copy and paste the following script:
    • On Windows 2000:
    • On Windows Server 2003:
    • On Windows XP:
    • On Windows Vista:
    • On Windows 7:
  3. Save this file as RESTORE.REG.
  4. Execute the file RESTORE.REG.


Did this description help? Tell us how we did.