Analysis by: Alvin John Nieto
ALIASES:

W32.Harakit (Symantec), Win32/Autoit.JW worm (ESET), Worm:Win32/Verecno.A (Microsoft)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives by connecting affected removable drives to a system. It may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 136,765 bytes
File Type: Script
Initial Samples Received Date: 26 Feb 2014

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System Root%\Google\googleupdate.a3x

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\Skypee
  • %System Root%\Google

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
googleupdate.exe = "%System Root%\Google\googleupdate.vbs"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
googleupdate.exe = %System Root%\googleupdate.vbs

It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

  • %All Users Profile%\Start Menu\Programs\Startup\googleupdate.lnk

(Note: %All Users Profile% is the All Users or Common profile folder, which is C:\Documents and Settings\All Users in Windows 2000, XP, and Server 2003, and C:\ProgramData in Windows Vista and 7.)

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://www.{BLOCKED}ugin.net/json.gp

It connects to the following possibly malicious URL:

  • http://{BLOCKED}ou.zapto.org

It requires the following additional components to properly run:

  • AutoIt3.exe
  • {parent folder name}.lnk
  • googleupdate.vbs

NOTES:

It copies the following directory and its content to all drives found:

  • %System Root%\Skypee\*

This worm drops the following file for all folders found in root drives and shared folders:

  • {folder name}\{parent folder name}.lnk