Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Worm:W32/Autorun.BHX
[Summary] | [Details] | [Additional Details]

Name : Worm:W32/Autorun.BHX
Detection Names : Worm.Win32.AutoRun.bhx
Aliases : W32/Autorun-AD (Sophos)
PWS:Win32/OnLineGames.CQO (Microsoft)
Type:Worm
Category:Malware
Platform:W32
Radar

Summary
Worm:W32/Autorun.BHX spreads by copying itself to removable drives and attempts to steal username and password information for several different online games.
Back to the Top

Details


File System Changes
Creates these files:

  • %temp%\n2mmf2qu.dll
  • %windir%\system32\kavo.exe
  • %windir%\system32\kavo0.dll


Modified these files:

  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys


Uses these temporary files:

  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys



Network Connections
Attempts to download files from:

  • http://www.microsofttw.com/jj/[REMOVED].rar



Registry Modifications
Sets these values:

  • HKLM\System\CurrentControlSet\Services\athyd
    Type = 00000001
    Start = 00000003
    ErrorControl = 00000001
    ImagePath = \??\C:\WINDOWS\system32\wincab.sys
    DisplayName = athyd
    by %windir%\system32\services.exe (PID:652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security
    Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x00\x30\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00\x60\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x23\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00
    by %windir%\system32\services.exe (PID:652)
  • HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run
    kava = C:\WINDOWS\system32\kavo.exe
    by %cwd%\sample.exe (PID:1548) [Launchpoint: Run]


Creates these keys:

  • HKLM\System\CurrentControlSet\Services\athyd
    by services.exe (PID: 652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security
    by services.exe (PID: 652)



Stealth Features
Installs these hooks:

  • ntoskrnl.exe!NtOpenProcess
    SSDT hook to 0xf87f07d0 in %windir%\system32\wincab.sys
    Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateValueKey
    SSDT hook to 0xf87f09a2 in %windir%\system32\wincab.sys
    Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateKey
    SSDT hook to 0xf87f0aae in %windir%\system32\wincab.sys
    Kernel process (PID: 0)
Back to the Top

Additional Details
Worm:W32/Autorun.BHX attempts to spread by copying itself to removable drives as xadeiect.com.

For more information on the Autorun infection method see our Worm:W32/Autorun family description.

The primary payload for Autorun.BHX is to steal username and password information for online games.

The following games are among the targeted:

  • Dekaron
  • MapleStory
  • Perfect World
  • Ragnarok Online
  • Seal Online
  • Yulgang
  • Zheng Tu Online
Back to the Top



F-Secure Corporation

Last Modified: August 27, 2008