Home / malware Win32.Worm.Autoit.P
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Autoit.P is also known as Trojan-Downloader.Win32.Agent.akh.
Explanation :
Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".
Once executed:
- checks if "system.exe" process exists and if it does it executes "explorer.exe" from system directory
- if any of below processes are running:
* msconfig.exe
* rstrui.exe
* regedit.exe
* taskmgr.exe
it exits.
- tries to kill the following processes if they are running:
* winsystem.exe
* handydriver.exe
* kerneldrive.exe
* wscript.exe
* cmd.exe
* nod32krn.exe
* nod32kui.exe
- malware copies itself as:
* %windir%msmsgs.exe
* %windir%wininit.exe
and modifies a registry key so that it is run at every system startup
- modifies settings of explorer so that file extensions are hidden
- modifies settings of explorer so that hidden files are not shown
- modifies settings to disable Task Manager
- modifies settings of disable Regedit
- copies itself into all non-removable drives as "system.exe" and adds an autorun.inf file so that it is executed automatically each
time the drive is activated or browsed
- deletes following registry keys:
* HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainWindow Title
* HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesNOD32krnImagePath
* HKEY_LOCAL_MACHINESYSTEMControlSet001Services
od32drvImagePath
* HKEY_CLASSES_ROOTlnkfileisShortcut
- deletes following files:
* %program files dir%ESET
od32.exe
* %program files dir%ESET
od32kui.exe
* %program files dir%ESET
od32krn.exe
- downloads files from internet:
* http://ppt.th.gs/[removed]/bad1.exe
* http://ppt.th.gs/[removed]/bad2.exe
* http://ppt.th.gs/[removed]/bad3.exe
into Windows directory and adds them to Windows startupLast update 21 November 2011
