WORM_FLYSTUD.AMF

Upon execution, this worm drops files on the affected system.

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\XP-D41D8CD9.EXE

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following files:

• %User Temp%\E_4\com.run
• %User Temp%\E_4\dp1.fne
• %System%\com.run
• %System%\dp1.fne

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious files:

• %System%\og.dll
• %System%\og.edt
• %System%\ul.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

• %User Temp%\E_4

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{OS version}-D41D8CD9 = %System%\{OS version}-D41D8CD9.EXE

It drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\¡¡¡¡¡¡.lnk

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup.)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• Recycled.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=Recycled.exe
shell\1=´ò¿ª(&O)
shell\1\Command=Recycled.exe
shell\2\=ä¯ÀÀ(&B)
shell\2\Command=Recycled.exe
shellexecute=Recycled.exe

Dropping Routine

This worm drops the following files:

• %User Temp%\E_4\eAPI.fne - detected by Trend Micro as WORM_AUTORUN.CLX
• %User Temp%\E_4\internet.fne - detected by Trend Micro as TROJ_PIDIEF.PUA
• %User Temp%\E_4\krnln.fnr - detected by Trend Micro as TROJ_PIDIEF.PUA
• %User Temp%\E_4\RegEx.fnr - detected by Trend Micro as TROJ_PIDIEF.PUA
• %User Temp%\E_4\shell.fne - detected by Trend Micro as WORM_AUTORUN.IJB
• %User Temp%\E_4\spec.fne - detected by Trend Micro as TROJ_PIDIEF.PUA
• %System%\eAPI.fne - detected by Trend Micro as WORM_AUTORUN.CLX
• %System%\internet.fne - detected by Trend Micro as TROJ_PIDIEF.PUA
• %System%\krnln.fnr - detected by Trend Micro as TROJ_PIDIEF.PUA
• %System%\RegEx.fnr - detected by Trend Micro as TROJ_PIDIEF.PUA
• %System%\shell.fne - detected by Trend Micro as WORM_AUTORUN.IJB
• %System%\spec.fne - detected by Trend Micro as TROJ_PIDIEF.PUA

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

NOTES:

The dropped AUTORUN.INF is detected by Trend Micro as Mal_Otorun1