Saturday, June 6, 2009

RCE - W32/Autorun.82944


A few days ago I have discover a virus that spread using common known media, USB Flash disk. This virus seem to be the same as other malware and it was compressed with PECompact utilities. The worm itself has been written using Microsoft Visual Basic 6.0. This worm is commonly known as W32/Autorun.worm!n (McAfee), TR/Crypt.PEPM.Gen (Avira), Win32.Worm.VB.NXY (BitDefender).

File Information

File Name: various
Size: 82,944 Bytes
Type: Trojan
Static File: Yes
MD5 Checksum: 22b52c23e6dd2809733e011a8eedab03


File Name / Process File Name

This virus commonly use several file name to spoof it self as a folder. Here it is some sort of file name has been use by this malware:

1. romantic.exe
2. forever.exe
3. System Volume Information.exe
4. love.exe
5. task.exe
6. userinit.exe
7. system.exe
. autorun.inf


There is 2 common process file name used by this worm:
1. userinit.exe
2. system.exe

Startup / Registry Alteration

The worm altering Windows registry as a startup point everytime Windows load.

Key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=c:\windows\userinit.exe

Other modified registry key is:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoDriveTypeAutoRun"
"NoDriveAutoRun"

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"HideFileExt"
"ShowSuperHidden"
"Hidden"

Payload

The worm seem to overwrite a %systemroot%\system32\drivers\etc\hosts file and set every unwanted domain name to pointing to localhost (127.0.0.1) IP. Most of the listing are computer security website including antivirus, firewall and download site.

The worm also contain some DDoS attack code which will send a random packet to the target.

Programming

This virus has been created by people who was new to the programming especially Visual Basic 6. Take a look some of their codes, it uses many timer to use their malicious function thus, making this worm unstable and taking alot of CPU usages.

Other Analysis:

Here it is some extracted string from the compiled Executable file.
Download here

Other analysis:
Analysis from Virus Total

VDEF updates for Portable Antivirus is available to download.

1 comment:

  1. W32.virut is a parasitic file infector, polymorphic & backdoor capabilities.Once it has been executed it will inject its code into winlogon.exe process and crate a new thread in that process. Any execution from the infected file will run the viral code first before passing to host code. W32.virut prevent its execution from running on virtual Machine such as VMWare & make it difficult to trace its presence, thread and processes.

    =============
    Regcure Review

    ReplyDelete