Also known as a trojan horse program, this is a deceptive program that performs additional actions without the user's knowledge or permission. It does not replicate.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Trojan:W32/Autoit.BN is a trojan that copies itself to USB memory sticks, deletes anti-virus software, and changes system settings.
When executed, AutoIt.BN copies itself to the following location on the hard drive:
Note: %Windir% represents the default Windows folder.
AutoIt.BN also copies itself to removable drives as a file called system.exe.
Additionally it also makes another copy of itself to removable drives with which it tries to impersonate a pre-existing folder. The trojan alphabetically searches the root folder of removable drives for the first entry that has no file extension. It then copies itself to the same root folder using the name of the folder it discovers and uses a file extension of EXE.
The folder the trojan impersonates will be set as a hidden file. This masquerade is improved by changing the registry in such a way that known file extensions are hidden so that the EXE extension is not visible. Hidden files are not visible in Explorer even if the system user adjusts the folder options to show hidden files.
The trojan does not necessarily "replace" a folder, as files do not always have an extension. The fact the trojan's icon resembles a folder implies that the intent of the author was to replace folders.
Once run, Trojan:W32/AutoIt.BN checks the currently running processes for the following programs:
- Microsoft Management Console (mmc.exe)
- Microsoft Restore Console (rstrui.exe)
- Registry Editor (regedit.exe)
- System Configuration utility (msconfig.exe)
- Task Manager (taskmgr.exe)
If any of the programs are running the trojan restarts the computer.
The following processes will be terminated by the trojan:
Interestingly, handydriver.exe, kerneldrive.exe, and winsystem.exe are often used by other malicious programs. Trojan:W32/AutoIt.BN also deletes the autorun.inf file from fixed drives so it is possible the trojan is attempting to dominate other autorun malware.
The following registry entries are set:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden = 00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = 00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt = 00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden = 00000002
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind = 00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions = 00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgr = 00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryTools = 00000001
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Microsoft\Msmsgs.exe
The purpose of the registry modifications is to make detecting and removing the trojan more difficult. The last entry in the list executes the trojan at startup so it gets run when the infected computer is booted.
The following registry entries are deleted:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window title
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn ImagePath
The following files are deleted:
- %C:\%Program Files\ESET\nod32.exe
- %C:\%Program Files\ESET\nod32kui.exe
- %C:\%Program Files\ESET\nod32krn.exe
By deleting the three files and removing two of its registry keys the trojan tries to render NOD32 antivirus program inoperable. Trojan:W32/AutoIt.BN remains memory resident once executed and repeats all operations every 40 seconds, making manual disinfection very difficult while the trojan is running.