WORM_FLYSTUD.QWI
Win32/AutoRun.FlyStudio.ZE (NOD32); W32.SillyFDC (Symantec)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives by connecting affected removable drives to a system. It arrives by accessing affected shared networks.
TECHNICAL DETAILS
Arrival Details
This worm arrives by connecting affected removable drives to a system.
It arrives by accessing affected shared networks.
Installation
This worm drops the following files:
- %System Root%\autorun.inf\desktop.ini
- %Program Files%\autorun.inf\desktop.ini
- %Program Files%\Windows Media Player\autorun.inf\desktop.ini
- %User Temp%\E_N4\eAPI.fne
- %User Temp%\E_N4\internet.fne
- %User Temp%\E_N4\krnln.fnr
- %User Temp%\E_N4\Md5.fne
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4\d\a\autorun.inf\svchost.exe¡¡
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
It creates the following folders:
- %System Root%\autorun.inf
- %System Root%\autorun.inf\ÎļþÃâÒß.
- %Program Files%\autorun.inf
- %Program Files%\autorun.inf\ÎļþÃâÒß.
- %Program Files%\Windows Media Player\autorun.inf
- %Program Files%\Windows Media Player\autorun.inf\ÎļþÃâÒß.
- %User Temp%\E_N4
- %Program Files%\Windows Media Player\c\f
- %Program Files%\Windows Media Player\c\f\c
- %Program Files%\Windows Media Player\c\f\c\d
- %Program Files%\Windows Media Player\c\f\c\d\2
- %Program Files%\Windows Media Player\c\f\c\d\2\0
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4\d
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4\d\a
- %Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4\d\a\autorun.inf
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %Program Files% is the default Program Files folder, usually C:\Program Files.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
Autostart Technique
This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = Userinit,"%Program Files%\Windows Media Player\c\f\c\d\2\0\8\4\9\5\d\5\6\5\e\f\6\6\e\7\d\f\f\9\f\9\8\7\6\4\d\a\autorun.inf\svchost.exe¡¡
(Note: The default value data of the said registry entry is C:\WINDOWS\system32\userinit.exe,.)
Other System Modifications
This worm adds the following registry keys:
HKEY_CLASSES_ROOT\.exe¡¡
HKEY_CURRENT_USER\Software\LoveQ
Propagation
This worm searches for folders in all physical and removable drives then drops copies of itself inside the folder as {folder name}.EXE.
It uses the following file names for the copies it drops into shared networks:
- ...exe
- ..exe