First posted on 30 January 2012.
Worm:Win32/Autorun.AEA is also known as Win32.HLLW.Autoruner.63662 (Dr.Web), Win32/AutoRun.VB.APO (ESET), Trojan-Ransom.Win32.DoubleEagle.ld (Kaspersky), W32/Autorun.worm!oc (McAfee), TROJ_SPNR.03A312 (Trend Micro).
Worm:Win32/Autorun.AEA is a worm that spreads to other drives as a files named "syskernel.exe" and "new folder1.exe". The worm terminates certain Windows utilities such as Task Manager and Registry Editor and also renames files having certain extensions.
Worm:Win32/Autorun.AEA is a worm that spreads to other drives as files named "syskernel.exe" and "new folder1.exe". The worm terminates certain Windows utilities such as Task Manager and Registry Editor and also renames files having certain extensions.
When run, Worm:Win32/Autorun.AEA copies itself as the following files with 'system', 'hidden' and 'read-only' file attributes:
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The registry is modified to run the copies of the worm at each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- <system folder>\syskernel.exe
Sets value: "sysBoot" With data: "<system folder>\syskernel.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "sysStart"With data: "c:\syswin.exe 1" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSets value: "sysBoot"With data: "<system folder>\syskernel.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSets value: "sysStart"With data: "c:\syswin.exe 1" The worm writes other registry data. In subkey: HKCU\Software\AppleTech\StartupSets value: "Value"With data: "1"Spreads via...Removable and network drivesWorm:Win32/Autorun.AEA drops copies of itself in removable and network drives, for example:
The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Worm:Win32/Autorun.AEA changes the file attributes of all of its dropped copies in the root directory of the targeted drive to 'system', 'hidden' and 'read-only'.
- <drive:>\new folder1.exe
Terminates Windows utility applicationsWorm:Win32/Autorun.AEA terminates the following applications and prevents them from executing:
Renames filesThis worm searches for all files having the file extensions ".jpg", ".emb" and ".dst". If a file is located, the worm renames the file extension to ".gif", ".ini" or ".ocx". For example, the worm might rename "file.jpg" to "file.gif", or "file.dst" to "file.ini".
- taskmgr.exe - Windows Task Manager
- msconfig.exe - Microsoft Config Utility
- regedit.exe - Registry Editor
Analysis by Edgardo Diaz
Last update 30 January 2012