F-Secure
Tools
Worm:W32/AutoIt.Q
| Name : | Worm:W32/AutoIt.Q |
| Detection Names : |
Win32.Worm.AutoIt |
| Size: | 485692 |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
| Date of Discovery: | November 24, 2008 |
Summary
This malware spreads by copying itself to removable devices and replacing the autorun.inf of the device with its own copy to ensure automatic execution.
Details
File System Changes
Creates these files:
• %windir%\system32\csrcs.exe
• %temp%\suicide.bat
Modified these files:
• %temp%\aut1.tmp
• %temp%\
• %temp%\aut2.tmp
• %temp%\
Process Changes
Creates these processes:
• %windir%\system32\csrcs.exe
• %windir%\system32\cmd.exe
• %windir%\system32\ping.exe
Creates these mutexes:
• 6E523163793968624
Registry Modifications
Sets these values:
• HKLM\Software\Microsoft\DRM\amty
ilop = 1
ilop = 1
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MUICache\
C:\WINDOWS\system32\csrcs.exe =
C:\WINDOWS\system32\csrcs.exe =
• HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs = C:\WINDOWS\system32\csrcs.exe
csrcs = C:\WINDOWS\system32\csrcs.exe
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe csrcs.exe
Shell = Explorer.exe csrcs.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 4718592
Hidden = 4718592
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 4718706
SuperHidden = 4718706
• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 4718706
ShowSuperHidden = 4718706
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 6553701
CheckedValue = 6553701
• HKLM\Software\Microsoft\DRM\amty
fix =
fix =
• HKLM\Software\Microsoft\DRM\amty
fix1 = 1
fix1 = 1
Creates these keys:
• HKLM\Software\Microsoft\DRM\amty
Additional Details
The file called suicide.bat is an installation helper file that deletes the original malware file. It performs a ping loopback on the system to check for the presence of a functioning network card.
After completing its routine, the batch file deletes itself.
After completing its routine, the batch file deletes itself.