F-Secure
Tools
Worm:W32/AutoRun.CNS
| Name : | Worm:W32/AutoRun.CNS |
| Size: | 258605 |
| Category: | Malware |
| Type: | Worm |
| Platform: | W32 |
Summary
Worm.Win32.AutoRun.cns attempts to deliver its payload on the 21st of each month.
It will render the system unusable by deleting the system files.
This worm also spreads via removable drives and terminates system processes as well as antivirus processes.
It will render the system unusable by deleting the system files.
This worm also spreads via removable drives and terminates system processes as well as antivirus processes.
Additional Details
Upon execution, Autorun.CNS will check to see if the date is the 21st of the month. If so, it will then proceed with its payload.
If it is not the 21st of the month, Autorun.CNS will perform the following actions:
It creates an autorun registry entry.
It checks if %windir%\autorun.inf exists and then modifies it to point to itself. It then set the attributes to +R+H+S (read-only, hidden, system).
The following files will then be copied to all discovered fixed and removable drives:
It makes a copy of itself to the windows system folder, usually C:\Windows\System32.
It changes the attribute of file %windir%\wininit.exe to read-only.
It change the attributes of file %windir%\explorcr.exe to +R+H+S (read-only, hidden, system).
It deletes the following files from the Program Files directory:
Payload
On the 21st of the month, Autorun.CNS will attempt the actions listed below.
Autorun.CNS displays a "HAPPY BIRTHDAY" tool tip below the mouse pointer.
It terminates the following processes if they are running or upon execution:
It looks for the following files (which usually are available).
If the files are discovered, it will display a decoy message box showing a progress bar with the following string:
It then deletes the files.
Autorun.CNS creates registry entries so that users cannot use:
If the applications listed below are started, the user will be given a "Security Check" dialog box asking for administrator password.
If the password is incorrect, it will produce a long beeping sound.
Applications:
After providing the correct password, the computer will be forced to restart. This will render the computer unusable since important system files are deleted.
Additional Information:
This worm comes compiled by AutoIt v3.
If it is not the 21st of the month, Autorun.CNS will perform the following actions:
It creates an autorun registry entry.
It checks if %windir%\autorun.inf exists and then modifies it to point to itself. It then set the attributes to +R+H+S (read-only, hidden, system).
• [autorun]
• open=explorcr.exe
• shellexecute=explorcr.exe
The following files will then be copied to all discovered fixed and removable drives:
• %windir%\autorun.inf
• %original path%\explorcr.exe
It makes a copy of itself to the windows system folder, usually C:\Windows\System32.
It changes the attribute of file %windir%\wininit.exe to read-only.
It change the attributes of file %windir%\explorcr.exe to +R+H+S (read-only, hidden, system).
It deletes the following files from the Program Files directory:
• ESET\nod32.exe
• ESET\nod32krn.exe
• ESET\nod32kui.exe
Payload
On the 21st of the month, Autorun.CNS will attempt the actions listed below.
Autorun.CNS displays a "HAPPY BIRTHDAY" tool tip below the mouse pointer.
It terminates the following processes if they are running or upon execution:
• cmd.exe
• handydriver.exe
• kerneldrive.exe
• nod32krn.exe
• nod32kui.exe
• winsystem.exe
• Wscript.exe
It looks for the following files (which usually are available).
• %windir%\win.ini
• %windir%\system.ini
• c:\ntldr
If the files are discovered, it will display a decoy message box showing a progress bar with the following string:
• Wait! Now rnning antivirus killer.
It then deletes the files.
Autorun.CNS creates registry entries so that users cannot use:
• Registry editor
• Task manager
If the applications listed below are started, the user will be given a "Security Check" dialog box asking for administrator password.
If the password is incorrect, it will produce a long beeping sound.
Applications:
• msconfig.exe
• rstrui.exe
• regedit.exe
After providing the correct password, the computer will be forced to restart. This will render the computer unusable since important system files are deleted.
Additional Information:
This worm comes compiled by AutoIt v3.