Analysis by: Christopher Daniel So

ALIASES:

Backdoor.Tidserv (Symantec), Generic BackDoor.rz (McAfee), W32/Rorpian-Q (Sophos), Riskware/Generic (Fortinet), Trojan.Win32.Pincav (Ikarus)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via software vulnerabilities, Propagates via removable drives

This worm arrives by connecting affected removable drives to a system. It arrives by accessing affected shared networks. It may be dropped by other malware.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It exploits software vulnerabilities to propagate to other computers across a network.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size: 55,808 bytes
File Type: DLL
Memory Resident: Yes
Initial Samples Received Date: 13 Sep 2011
Payload: Downloads files

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives by accessing affected shared networks.

It may be dropped by other malware.

Installation

This worm drops the following copies of itself into the affected system:

  • %User Temp%\srv{3 random hexadecimal digits}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It injects itself into the following processes as part of its memory residency routine:

  • spoolsv.exe

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
Type = "20"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
Start = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
ImagePath = "%System Root%\system32\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
DisplayName = "srv{3 random hexadecimal digits}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}\parameters
servicedll = "\?\globalroot\Device\HarddiskVolume1\%User Temp%\srv{random hexadecimal number}.exe"

It adds the following entries to allow itself to run on safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
srv{random hexadecimal number}
(Default) = "service"

It adds the following keys to allow itself to run on safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
srv{random hexadecimal number}

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
netsvcs = "srv{random hexadecimal number} {original value}"

(Note: The default value data of the said registry entry is "{original value}".)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srv{random hexadecimal number}

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
67:UDP = "67:UDP:*:Enabled:DHCP Server"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • setup1911.fon

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage characters}
[AUtOrUn]
acTION=OpEn
{garbage characters}
icoN=%wIndir%\SysTeM32\SHELL32.DLl,4
{garbage characters}
uSEAuToPLAy=1
{garbage characters}
OpEN=RUnDLL32.EXE seTUp1911.fon,348976
{garbage characters}
sheLL\EXPlore\coMmAnd=rUNDlL32.exe sEtup1911.fON,348976
{garbage characters}
SHELL\opEn\CoMMAND=rundLl32.eXE setup1911.FoN,348976
{garbage characters}

It exploits the following software vulnerabilities to propagate to other computers across a network:

  • (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Download Routine

This worm accesses the following websites to download files:

  • http://{BLOCKED}.{BLOCKED}.89.121/X
  • http://{BLOCKED}.{BLOCKED}.89.121/exe

It saves the files it downloads using the following names:

  • %Temp%\{random hexadecimal number}.tmp

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

NOTES:

It connects to the following website to inform the remote user of its installation:

  • http://{BLOCKED}.{BLOCKED}.89.121/slog&log=install&id={random string}&os={OS version}&version=1d&data=

It drops the following .LNK files in all removable drives and shared folders to enable the automatic execution of the file setup1911.fon:

  • myporno.avi.lnk
  • pornmovs.lnk
  • setup1911.lnk

Trend Micro detects the said shortcut files either as LNK_OTORUN.SM or EXPL_CPLNK.SM, depending on the malware copy that it points to. If the shortcut file points to a local malware copy, it is detected as LNK_OTORUN.SM. If it points to a malware copy dropped in a shared folder, it is detected as EXPL_CPLNK.SM.

It searches for all shared folders on the affected system. It then drops the following copies of itself to the found folders using the following file name:

  • setup1911.fon

  SOLUTION

Minimum Scan Engine: 9.200
FIRST VSAPI PATTERN FILE: 8.424.11
FIRST VSAPI PATTERN DATE: 13 Sep 2011
VSAPI OPR PATTERN File: 8.425.00
VSAPI OPR PATTERN Date: 13 Sep 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_OTORUN.KR

Step 3

Identify and delete files detected as WORM_OTORUN.KR using either the Startup Disk or Recovery Console

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    • 67:UDP="67:UDP:*:Enabled:DHCP Server"

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
    • srv{random hexadecimal number}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • srv{random hexadecimal number}

Step 6

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    • From: netsvcs="srv{random hexadecimal number} {original value}"
      To: netsvcs="{original value}"

Step 7

Search and delete AUTORUN.INF files created by WORM_OTORUN.KR that contain these strings

[ Learn More ]
{garbage characters}
[AUtOrUn]
acTION=OpEn
{garbage characters}
icoN=%wIndir%\SysTeM32\SHELL32.DLl,4
{garbage characters}
uSEAuToPLAy=1
{garbage characters}
OpEN=RUnDLL32.EXE seTUp1911.fon,348976
{garbage characters}
sheLL\EXPlore\coMmAnd=rUNDlL32.exe sEtup1911.fON,348976
{garbage characters}
SHELL\opEn\CoMMAND=rundLl32.eXE setup1911.FoN,348976
{garbage characters}

Step 8

Scan your computer with your Trend Micro product to delete files detected as WORM_OTORUN.KR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Download and apply this security patch Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.


Did this description help? Tell us how we did.