WORM_HILGILD.AUL

This worm arrives via removable drives. It arrives by accessing affected shared networks. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives via removable drives.

It arrives by accessing affected shared networks.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %All Users Profile%\Application Data\wmimgmt.exe

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %All Users Profile%\DRM\Media\line.dat
• %All Users Profile%\DRM\Media\D753DD1C.db
• %Temp%\temp.vih
• %User Profile%\Local Settings\Temporary Internet Files\s.log
• %User Profile%\Local Settings\Temporary Internet Files\t.log
• %User Profile%\Local Settings\Temporary Internet Files\INFO.TXT {contains all gathered info}
• %User Profile%\Local Settings\Temporary Internet Files\drivers.p {contains list of available drives}
• %User Profile%\Local Settings\Temporary Internet Files\wrkgrp.tmp {contains list of connected machine}

(Note: %All Users Profile% is the All Users folder, where it usually is C:\Documents and Settings\All Users on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\ProgramData on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops and executes the following files:

• %User Profile%\Local Settings\Temporary Internet Files\avp.exe
• %User Profile%\Local Settings\Temporary Internet Files\avpi.exe
• %User Profile%\Local Settings\Temporary Internet Files\oi.bat {for bypass firewall}
• %User Profile%\Local Settings\Temporary Internet Files\ghi.bat {to get info about network}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following processes:

• net.exe

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion
wmi32 = "%All Users Profile%\Application Data\wmimgmt.exe"

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = "1"

(Note: The default value data of the said registry entry is "0".)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
forceguest = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
limitblankpassworduse = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data of the said registry entry is "2".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is "{User Preference}".)

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

; for 16-bit app support
[extensions]
[fonts]
[mci extensions]
[Mail]
[files]
mpeg=MPEGVideo
snd=atl.dll
wm=mcd32.dll
wma=MP4
wmp=MP3MAPI=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
CMCDLLNAME32=mapi32.dll
CMC=1
[MCI Extensions]
aif=loghours.dll
aiff=ole2.dll
asf=d3dramp.dll
aifc=psnppagn.dll
asx=MPEGVideo2
mpe=usrdtea.dll
mpg=MPEGVideo
mpv2=idq.dll
wmv=MPEG
wmx=MPEGVideo32
251846kfi56s
;cc30qiLas JdZ3adCjPadf823423423
[Kasasf0q]iLasdfKD28Ls33wDmrq6Jl1EdAf8
;K0qi asfLasmet Ca19lhs ipconfidfjKD28 mpeg Ls33
;8sdaA89K3J0DSKJLG8P4Ld0laH saG
[shellas]dBop1caomasdnhsdf=fdsjsdf.exenghasadnetstad.
as=asdfash0ffsad asd1safsdf9safdasf
;ff0qiLasfJdKPEGVi2412344
oaeFK1Kajkw6DdD3L2f3a31zazi8a135Lwra
Ls33wDm2rqJl31EdAf8soae FK1KajkwDdDLKAl6sdcO7K
asdfs3adfLafdsfadsdm FKaj3kw6Al6sdcO7K
;K0qi65aa3sJZ3adCsa1sdfjKD32asddfasdf
;K0qiLa1Kajkw845rthgK2f33a21zazi8a35Lwra
[ autorun
K0qi3a3dCa19lsdfjKD2asfd323asdfsdfa
PRINT=PRINT.EXE ASDd938daf897asdj
;[asfd3]2KdafjKD2
Play= Copy pictures to a foler on my computer
shEllEXEcuTe = RECyCLER\wmimgmt.com
;8sdaA38G8P343LklJ8ASD FL3333sd0laHsa3G12fgsdsaKd
sheLL\oPeN\coMManD =RECYCLER\wmimgmt.com
;343P5gd2fKgCOMNANDASDF=REC R5gf56sd315eK592AdsSD
;89234SAKDJWKsatyh3adaflk7yas
;343P5F 25F5gf56sd315eK56fs43d4asd56KdaDfs1
shELl\ExpLore\ComMand= RECYCLER\wmimgmt.com
s=asfdsa5dfafdAf8soaeFExpLoreqiLasJ8Z3adC
;89234AKfdk28ASDFsaaty7ysK6DRg if5S3jsHks
Action=Open folder to view files
;8k3kKsafG ASDFdlsflK3a23F4jksfa5F3J90s
;f0PEG3ideoqiLasJd9Z3adCa319lhsdfjKD3223adfasfd
Spell=Take no action then print the picture

[mci]
woafont=app936.FON
EGA40WOA.FON=EGA40WOA.FON
[386enh]
EGA51WOA.FON=KBDDSP.FON
[drivers]
wave=mmdrv.dll
[driver32]
timer=timer.drv

Information Theft

This worm gathers the following data:

• processor information
• path list
• os information
• systemroot directory
• user accounts
• list of running processes
• product id
• network card list
• list of values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
• list of values in HKEY_CURRENT_USER\Software\Microsoft\Office\{variable1}\Common\UserInfo
• ip configuration
• list of open ports
• list of services
• list of content of files and folders in all the drives
• disk space info
• list connected machines

NOTES:

The {variable1} may be any of the following:

• 8.0
• 9.0
• 10.0
• 11.0
• 12.0
• 13.0

It drops {removable drive}:\RECYCLER\wmimgmt.com, a copy of itself, into all shared and removable drives. It drops the following files into all shared and removable drives:

• {removable drive}:\RECYCLER\desktop.ini
• {removable drive}:\~thumbs.tmp

It drops an AUTORUN.INF into all shared and removable drives to automatically execute the dropped copies when a user accesses the drives of an affected system.

It searches for folders in all shared folders and removable drives then drops copies of itself as {folder name}.EXE.

It sets the attributes of all the found folders in the shared folders and removable drives to Hidden.

It searches for the following running processes:

• 360tray.exe
• avastsvc.exe
• avguard.exe
• avp.exe
• ccenter.exe
• ccsvchst.exe
• mcagent.exe
• op_mon.exe
• pctstray.exe
• ravmond.exe
• ravtask.exe
• v31tray.exe
• v3svc.exe
• vssserv.exe

It does not proceed with its routine if it finds the process avp.exe running in the memory or the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVP in the system.