Threat Description

Trojan:​W32/AutoIt.BN

Details

Aliases:Trojan:​W32/AutoIt.BN, Trojan.Win32.AutoIt.bn
Category:Malware
Type:Trojan
Platform:W32

Summary



Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Trojan:W32/Autoit.BN is a trojan that copies itself to USB memory sticks, deletes anti-virus software, and changes system settings.

Installation

When executed, AutoIt.BN copies itself to the following location on the hard drive:

  • %windir%\system32\Microsoft\msmsgs.exe

Note: %Windir% represents the default Windows folder.

AutoIt.BN also copies itself to removable drives as a file called system.exe.

Additionally it also makes another copy of itself to removable drives with which it tries to impersonate a pre-existing folder. The trojan alphabetically searches the root folder of removable drives for the first entry that has no file extension. It then copies itself to the same root folder using the name of the folder it discovers and uses a file extension of EXE.

The folder the trojan impersonates will be set as a hidden file. This masquerade is improved by changing the registry in such a way that known file extensions are hidden so that the EXE extension is not visible. Hidden files are not visible in Explorer even if the system user adjusts the folder options to show hidden files.

The trojan does not necessarily "replace" a folder, as files do not always have an extension. The fact the trojan's icon resembles a folder implies that the intent of the author was to replace folders.

Activity

Once run, Trojan:W32/AutoIt.BN checks the currently running processes for the following programs:

  • Microsoft Management Console (mmc.exe)
  • Microsoft Restore Console (rstrui.exe)
  • Registry Editor (regedit.exe)
  • System Configuration utility (msconfig.exe)
  • Task Manager (taskmgr.exe)

If any of the programs are running the trojan restarts the computer.

The following processes will be terminated by the trojan:

  • cmd.exe
  • handydriver.exe
  • kerneldrive.exe
  • nod32krn.exe
  • nod32kui.exe
  • winsystem.exe
  • Wscript.exe

Interestingly, handydriver.exe, kerneldrive.exe, and winsystem.exe are often used by other malicious programs. Trojan:W32/AutoIt.BN also deletes the autorun.inf file from fixed drives so it is possible the trojan is attempting to dominate other autorun malware.

Registry Changes

The following registry entries are set:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden = 00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = 00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden = 00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgr = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryTools = 00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Microsoft\Msmsgs.exe

The purpose of the registry modifications is to make detecting and removing the trojan more difficult. The last entry in the list executes the trojan at startup so it gets run when the infected computer is booted.

The following registry entries are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window title
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn ImagePath

The following files are deleted:

  • %C:\%Program Files\ESET\nod32.exe
  • %C:\%Program Files\ESET\nod32kui.exe
  • %C:\%Program Files\ESET\nod32krn.exe

By deleting the three files and removing two of its registry keys the trojan tries to render NOD32 antivirus program inoperable. Trojan:W32/AutoIt.BN remains memory resident once executed and repeats all operations every 40 seconds, making manual disinfection very difficult while the trojan is running.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More