Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Trojan may be dropped by other malware.

It executes then deletes itself afterward.

  TECHNICAL DETAILS

File Size: 271,227 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 17 Jan 2012

Arrival Details

This Trojan may be dropped by the following malware:

  • TROJ_KRYPTIK.JWO

Installation

This Trojan executes then deletes itself afterward.

NOTES:

It may execute specific files depending on the parameter passed to this malware by other component malware using the following command line:

  • {malware path}\{malware name}.exe {parameter}
Where:
  • Parameter: "a"
    File: {malware path}\asius.bat
  • Parameter: "d"
    File: {malware path}\damd.bat
  • Parameter: "xdc"
    File: {malware path}\xray.bat
  • Parameter: "xpd"
    File: {malware path}\xray.bat
  • Parameter: "xpp"
    File: {malware path}\xray.bat

However, these files are not dropped by the malware itself and may be dropped by other component malware.

It attempts to create the following environmental variables to store its needed information such as its component file directories:

  • pathx=%programfiles%\Windows Media Player\Network Sharing
  • filex=Network Media Update.exe
  • shellx=,Media Network Sharing
  • regx=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • spth1=%windir%\repair\config\
  • spth2=%windir%\nview\config\
  • rgnn1=Network Sharing Media
  • disk_list=C D E F G H I J K L M N O P Q R S T U V W X Y Z
  • fuck=echo
  • shit=del /f /q
  • avp1=%myfiles%\hellenp.tf
  • avp2=%myfiles%\hellenm.tf
  • avp3=%myfiles%\hellenq.tf
  • avp4=%myfiles%\hellenz.tf
  • r7g1=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • r7g2=HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • u7ac=%windir%\system32\UserAccountControlSettings.exe
  • rg_da=reg add
  • rg_dwd=/t reg_dword /d 0 /f
  • c_cls=cacls
  • c_clsx=/p everyone:
  • c_bb=copy /b
  • fi_xt=if exist
  • fi_xxt=if not exist
  • symftm=System Volume Information\
  • r7guc1=/v ConsentPromptBehaviorAdmin
  • r7guc2=/v EnableLUA
  • r7guc3=/v PromptOnSecureDesktop

This malware creates the above variables as part of its installation routine. These values can be used by other component malware by calling the assigned environmental variables.

It deletes the following component files:

  • %Application Data%\hellenp.tf
  • %Application Data%\hellenm.tf
  • %Application Data%\hellenq.tf
  • %Application Data%\hellenz.tf

  SOLUTION

Minimum Scan Engine: 9.200
VSAPI OPR PATTERN File: 8.715.00
VSAPI OPR PATTERN Date: 18 Jan 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove malware/grayware files that dropped/downloaded TROJ_AUTOTI.C

Step 3

Scan your computer with your Trend Micro product to delete files detected as TROJ_AUTOTI.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.