WORM_OTORUN.HW

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\wcynsvc.exe
• %System%\wcynsvc.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetwisk
ImagePath = "%System%\wcynsvc.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Wnetwisk

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Enum\Root\LEGACY_WNETWISK

Propagation

This worm drops the following copy of itself in all physical and removable drives:

• No Delete{multiple spaces}.exe
• {folder name}{multiple spaces}.exe

Other Details

This worm connects to the following possibly malicious URL:

• {BLOCKED}ng55.3322.org:80
• {BLOCKED}ng33.gicp.net:80

It sets the attributes of the following file(s) to Hidden and System:

• {drive letter}:\{folder name}