Analysis by: Sabrina Lei Sioting
ALIASES:

[Kaspersky] Worm.Win32.AutoRun.hug; [McAfee] W32/Autorun.worm.zzk; [Microsoft] Worm:Win32/Hilgild!gen.A; [Symantec] W32.SillyFDC

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This worm arrives via removable drives.

It modifies certain registry entries to hide file extensions.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

  TECHNICAL DETAILS

File Size: 266,240 bytes
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 30 Jul 2011

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

Installation

This worm drops the following copies of itself into the affected system:

  • %system root%\Documents and Settings\All Users\Application Data\wmimgmt.exe

It drops the following non-malicious files:

  • %system root%\Documents and Settings\All Users\DRM\Media\8E60A049.db
  • %system root%\Documents and Settings\All Users\DRM\Media\line.dat
  • %User Temp%\RHFLQB.XML
  • %User Temp%\tmp~ghi.log

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It adds the following possibly malicious files or file components:

  • %system%\wuausrv.dll - detected by Trend Micro as BKDR_PROTUX.PI

It creates the following folders:

  • %system root%\Documents and Settings\All Users\DRM\Media

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • ProgramLQBMutex

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
wmi32 = "%system root%\Documents and Settings\All Users\Application Data\wmimgmt.exe"

Other System Modifications

This worm modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
UncheckedValue = 0

(Note: The default value data of the said registry entry is 1.)

It modifies the following registry entries to hide file extensions:

HKEY_CLASSES_ROOT\exefile
NeverShowExt = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile
NeverShowExt = ""

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

; for 16-bit app support
[extensions]
[fonts]
[mci extensions]
[Mail]
[files]
MAPI=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
CMCDLLNAME32=mapi32.dll
CMC=1
[MCI Extensions]
aif=loghours.dll
aiff=ole2.dll
asf=d3dramp.dll
aifc=psnppagn.dll
asx=MPEGVideo2
mpe=usrdtea.dll
mpg=MPEGVideo
mpv2=idq.dll
mpeg=MPEGVideo
snd=atl.dll
wm=mcd32.dll
wma=MP4
wmp=MP3
wmv=MPEG
wmx=MPEGVideo32
251846kfi56s
;{garbage}
[Kasasf0q]iLasdfjKD28Ls33wDm2rq6Jl1EdAf8
;{garbage}
[shellas]dBop1comasdnhsdf=fdsjsdf.exenghsadnetstad.
as=asdfash0fsad asd1safsd9safdasf
;{garbage}
oaeFK1Kajkw6DdDL2f3a31zazi8a135Lwra
Ls33wDm2rq6Jl1EdAf8soae FK1Kajkw6DdDLKAl6sdcO7K
asdfsadfLsafdsfadsdm FKajkw6KAl6sdcO7K
;{garbage}
[autorun]K0qi3adCa19lhsdfjKD2asfd23asdfsdfa
PRINT=PRINT.EXE ASDd98daf897asdj
;{garbage}
Play= Copy pictures to a foler on my computer
shEllEXEcuTe = RECYCLER\wmimgmt.com
;{garbage}
sheLL\oPeN\coMManD =RECYCLER\wmimgmt.com
;{garbage}
shELl\ExpLore\ComMand= RECYCLER\wmimgmt.com
s=asfdsa5dffafdAf8soaeFExpLoreqiLasJ8Z3adC
;{garbage}
Action=Open folder to view files
;{garbage}
Spell=Take no action then print the picture
[drivers]
wave=mmdrv.dll
[driver32]
timer=timer.drv
[mci]
woafont=app936.FON
EGA40WOA.FON=EGA40WOA.FON
[386enh]
EGA51WOA.FON=KBDDSP.FON

Dropping Routine

This worm executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

NOTES:

The dropped AUTORUN.INF is detected by Trend Micro as Mal_Otorun1.

This worm creates the following folder in all shared folders and removable drives:

  • RECYCLER

It drops the following copy of itself in all shared folders and removable drives:

  • RECYCLER\wmimgmt.com

It also drops the following non-malicious files in all shared folders and removable drives:

  • RECYCLER\8E60A049.db
  • RECYCLER\desktop.ini

It searches for folders in all shared folders and removable drives then drops copies of itself as {folder name}.EXE.

It sets the attributes of all the found folders in the shared folders and removable drives to Hidden.

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 8.318.13
FIRST VSAPI PATTERN DATE: 30 Jul 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_OTORUN.WKJ

    BKDR_PROTUX.PI

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • wmi32 = "%system root%\Documents and Settings\All Users\Application Data\wmimgmt.exe"
  • In HKEY_CLASSES_ROOT\exefile
    • NeverShowExt = ""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
    • NeverShowExt = ""

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • From: ShowSuperHidden = 0
      To: ShowSuperHidden = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    • From: UncheckedValue = 0
      To: UncheckedValue = 1

Step 6

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
%system root%\Documents and Settings\All Users\DRM\Media
{shared folder or removable drive}\RECYCLER

Step 7

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
%User Temp%\RHFLQB.XML
%User Temp%\tmp~ghi.log

Step 8

Search and delete AUTORUN.INF files created by WORM_OTORUN.WKJ that contain these strings

[ Learn More ]
; for 16-bit app support
[extensions]
[fonts]
[mci extensions]
[Mail]
[files]
MAPI=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
CMCDLLNAME32=mapi32.dll
CMC=1
[MCI Extensions]
aif=loghours.dll
aiff=ole2.dll
asf=d3dramp.dll
aifc=psnppagn.dll
asx=MPEGVideo2
mpe=usrdtea.dll
mpg=MPEGVideo
mpv2=idq.dll
mpeg=MPEGVideo
snd=atl.dll
wm=mcd32.dll
wma=MP4
wmp=MP3
wmv=MPEG
wmx=MPEGVideo32
251846kfi56s
;{garbage}
[Kasasf0q]iLasdfjKD28Ls33wDm2rq6Jl1EdAf8
;{garbage}
[shellas]dBop1comasdnhsdf=fdsjsdf.exenghsadnetstad.
as=asdfash0fsad asd1safsd9safdasf 
;{garbage}
oaeFK1Kajkw6DdDL2f3a31zazi8a135Lwra
Ls33wDm2rq6Jl1EdAf8soae   FK1Kajkw6DdDLKAl6sdcO7K
asdfsadfLsafdsfadsdm   FKajkw6KAl6sdcO7K
;{garbage}
[autorun]K0qi3adCa19lhsdfjKD2asfd23asdfsdfa
PRINT=PRINT.EXE ASDd98daf897asdj
;{garbage}
Play= Copy pictures to a foler on my computer
shEllEXEcuTe   = RECYCLER\wmimgmt.com
;{garbage}
sheLL\oPeN\coMManD =RECYCLER\wmimgmt.com
;{garbage}
shELl\ExpLore\ComMand= RECYCLER\wmimgmt.com
s=asfdsa5dffafdAf8soaeFExpLoreqiLasJ8Z3adC
;{garbage}
Action=Open folder to view files 
;{garbage}
Spell=Take no action then print the picture
[drivers]
wave=mmdrv.dll
[driver32]
timer=timer.drv
[mci]
woafont=app936.FON
EGA40WOA.FON=EGA40WOA.FON
[386enh]
EGA51WOA.FON=KBDDSP.FON

Step 9

Scan your computer with your Trend Micro product to delete files detected as WORM_OTORUN.WKJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Changing File attributes using ATTRIB command

  1. Open a command prompt.
    • For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type CMD then press Enter.
    • For Windows Vista and Windows 7 users, click Start, type CMD in the Search input field then press Enter.
  2. In the CMD console, type the following:
    ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D] [/L]]

    Where:


    + Sets an attribute.
    - Clears an attribute.
    R Read-only file attribute.
    A Archive file attribute.
    S System file attribute.
    H Hidden file attribute.
    I Not content indexed file attribute.
    [drive:][path][filename] Specifies a file or files for attrib to process.
    /S Processes matching files in the current folder and all subfolders.
    /D Processes folders as well.
    /L Work on the attributes of the Symbolic Link versus the target of the Symbolic Link

    3. Example:
    ATTRIB –H D:\* /S /D [Remove Hidden Attribute for all files and folders including subfolders in drive D]

  3. Repeat Step 2 for folders and files in other drives or directories.

This malware is detected and removed by the latest Trend Micro anti-malware engine and pattern. Always keep pattern files and engines up-to-date.

To know more about updating your Trend Micro product’s pattern, please refer to the Trend Micro Support page How do I manually update the virust pattern of my Trend Micro Internet.

Note: The steps apply for specific products indicated in the page.

To actively detect and protect your machine, enable real-time scanning of your Trend Micro anti-malware product. Refer to the following Trend Micro support page to know more about enabling real-time scanning in your Trend Micro product:

  • When a computer is compromised, isolate it immediately from the network.
  • Turn off file sharing if not needed. If needed, disable anonymous access to shared folders.
  • Disable AutoPlay to avoid automatic execution of executable files in removable drives.
  • Configure your system to show hidden files and folders and display file extensions.


Did this description help? Tell us how we did.