Home / malware Worm:Win32/Autorun.PL
First posted on 22 January 2013.
Source: MicrosoftAliases :
Worm:Win32/Autorun.PL is also known as Worm/VB.DGO (AVG), W32.Mournor (Symantec), W32/VBWorm.RVF (Norman), W32/Worm.XIM (Command), Win32.HLLW.Autoruner.1744 (Dr.Web), Win32/AutoRun.ARX (ESET), Worm.Win32.Autorun (Ikarus), Worm.Win32.VB.azx (Kaspersky), Worm/Win32.AutoRun (AhnLab), WORM_VB.GYF (Trend Micro).
Explanation :
Installation
When run, Worm:Win32/Autorun.PL creates two copies of itself in the <system folder>, using the following names:
- services.exe
- sysanalysis.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
The worm makes two copies of the system file "%windir%\explorer.exe". It places one copy in the <system folder>, using the file's original name. It leaves the second copy in the %windir% folder, however it renames the copy by adding 15 random digits to the file name, for example "C:\Windows\explorer.exe650504708290100".
The worm then replaces the original system file "explorer.exe" in %windir% with a copy of itself.
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
The worm also deletes "explorer.exe" from "<system folder>\dllcache".
When Windows starts, the system file "explorer.exe" is always run. By replacing the system file with its own copy, the worm ensures that it is run at every Windows start.
Spreads via...
Removable drives
Worm:Win32/Autorun.PL copies itself as an executable file (EXE) to any removable drives that are connected to your computer. We have observed it using the file name "Mourn_Operator.exe". We have also observed it using a string of Chinese characters for the file name, such as "éÂ…·å›¾.exe", which translates to "cool picture.exe". It may use a file name such as this in an attempt to lure you into opening the file, at which point the worm will run and perform its installation on the computer the drive is connected to.
It also places an autorun.inf file in the root directory of removable drives. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Modifies system settings
Worm:Win32/Autorun.PL may modify your computer's security settings by making a number of changes to the registry.
It may prevent the display of files and folders that have "SYSTEM" and "HIDDEN" attributes:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "ShowSuperHidden"
With data: "0"
It may remove the Folder Options item from all Windows Explorer menus and the Control Panel:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "1"
It may prevent the display of file extensions in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Sets value: "CheckedValue"
With data: "0"
When run, the worm also runs the original "explorer.exe" - this causes a File Explorer window to open.
Analysis by Patrik Vicol
Last update 22 January 2013
