Threat Description

Worm:​W32/Autorun.BHX

Details

Aliases:Worm.Win32.AutoRun.bhx
Category:Malware
Type:Worm
Platform:W32

Summary



Worm:W32/Autorun.BHX spreads by copying itself to removable drives and attempts to steal username and password information for several different online games.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Worm:W32/Autorun.BHX attempts to spread by copying itself to removable drives as xadeiect.com.For more information on the Autorun infection method see our Worm:W32/Autorun family description.The primary payload for Autorun.BHX is to steal username and password information for online games.The following games are among the targeted:

  • Dekaron
  • MapleStory
  • Perfect World
  • Ragnarok Online
  • Seal Online
  • Yulgang
  • Zheng Tu Online

File System Changes

Creates these files:

  • %temp%\n2mmf2qu.dll
  • %windir%\system32\kavo.exe
  • %windir%\system32\kavo0.dll

Modified these files:

  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys

Uses these temporary files:

  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys

Network Connections

Attempts to download files from:

  • http://www.microsofttw.com/jj/[REMOVED].rar

Registry Modifications

Sets these values:

  • HKLM\System\CurrentControlSet\Services\athyd Type = 00000001 Start = 00000003 ErrorControl = 00000001 ImagePath = \??\C:\WINDOWS\system32\wincab.sys DisplayName = athyd by %windir%\system32\services.exe (PID:652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x00\x30\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00\x60\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x23\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00 by %windir%\system32\services.exe (PID:652)
  • HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run kava = C:\WINDOWS\system32\kavo.exe by %cwd%\sample.exe (PID:1548) [Launchpoint: Run]

Creates these keys:

  • HKLM\System\CurrentControlSet\Services\athyd by services.exe (PID: 652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security by services.exe (PID: 652)

Stealth Features

Installs these hooks:

  • ntoskrnl.exe!NtOpenProcess SSDT hook to 0xf87f07d0 in %windir%\system32\wincab.sys Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateValueKey SSDT hook to 0xf87f09a2 in %windir%\system32\wincab.sys Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateKey SSDT hook to 0xf87f0aae in %windir%\system32\wincab.sys Kernel process (PID: 0)





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More