Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Worm:W32/AutoRun.CNS
[Summary] | [Detailed Description]

Name : Worm:W32/AutoRun.CNS
Alias:Worm.Win32.AutoRun.cns
Size:258605
Type:Worm
Category:Malware
Platform:W32
Radar

Summary
Worm.Win32.AutoRun.cns attempts to deliver its payload on the 21st of each month.

It will render the system unusable by deleting the system files.

This worm also spreads via removable drives and terminates system processes as well as antivirus processes.
Back to the Top

Detailed Description
Upon execution, Autorun.CNS will check to see if the date is the 21st of the month. If so, it will then proceed with its payload.

If it is not the 21st of the month, Autorun.CNS will perform the following actions:

It creates an autorun registry entry.

It checks if %windir%\autorun.inf exists and then modifies it to point to itself. It then set the attributes to +R+H+S (read-only, hidden, system).

  • [autorun]
  • open=explorcr.exe
  • shellexecute=explorcr.exe

The following files will then be copied to all discovered fixed and removable drives:

  • %windir%\autorun.inf
  • %original path%\explorcr.exe

It makes a copy of itself to the windows system folder, usually C:\Windows\System32.

It changes the attribute of file %windir%\wininit.exe to read-only.

It change the attributes of file %windir%\explorcr.exe to +R+H+S (read-only, hidden, system).

It deletes the following files from the Program Files directory:

  • ESET\nod32.exe
  • ESET\nod32krn.exe
  • ESET\nod32kui.exe

Payload

On the 21st of the month, Autorun.CNS will attempt the actions listed below.

Autorun.CNS displays a "HAPPY BIRTHDAY" tool tip below the mouse pointer.

It terminates the following processes if they are running or upon execution:

  • cmd.exe
  • handydriver.exe
  • kerneldrive.exe
  • nod32krn.exe
  • nod32kui.exe
  • winsystem.exe
  • Wscript.exe

It looks for the following files (which usually are available).

  • %windir%\win.ini
  • %windir%\system.ini
  • c:\ntldr

If the files are discovered, it will display a decoy message box showing a progress bar with the following string:

  • Wait! Now rnning antivirus killer.

It then deletes the files.



Autorun.CNS creates registry entries so that users cannot use:

  • Registry editor
  • Task manager

If the applications listed below are started, the user will be given a "Security Check" dialog box asking for administrator password.



If the password is incorrect, it will produce a long beeping sound.

Applications:

  • msconfig.exe
  • rstrui.exe
  • regedit.exe

After providing the correct password, the computer will be forced to restart. This will render the computer unusable since important system files are deleted.

Additional Information:

This worm comes compiled by AutoIt v3.
Back to the Top



F-Secure Corporation

Last Modified: May 09, 2008