Home / malwarePDF  

Worm:Win32/Autorun.AEA


First posted on 30 January 2012.
Source: Microsoft

Aliases :

Worm:Win32/Autorun.AEA is also known as Win32.HLLW.Autoruner.63662 (Dr.Web), Win32/AutoRun.VB.APO (ESET), Trojan-Ransom.Win32.DoubleEagle.ld (Kaspersky), W32/Autorun.worm!oc (McAfee), TROJ_SPNR.03A312 (Trend Micro).

Explanation :

Worm:Win32/Autorun.AEA is a worm that spreads to other drives as a files named "syskernel.exe" and "new folder1.exe". The worm terminates certain Windows utilities such as Task Manager and Registry Editor and also renames files having certain extensions.
Top

Worm:Win32/Autorun.AEA is a worm that spreads to other drives as files named "syskernel.exe" and "new folder1.exe". The worm terminates certain Windows utilities such as Task Manager and Registry Editor and also renames files having certain extensions.

Installation
When run, Worm:Win32/Autorun.AEA copies itself as the following files with 'system', 'hidden' and 'read-only' file attributes:

  • <system folder>\syskernel.exe
  • c:\syswin.exe
  • c:\sys32krnl.exe
  • c:\sysmgr.exe
  • c:\svcclient.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The registry is modified to run the copies of the worm at each Windows start. In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "sysBoot" With data: "<system folder>\syskernel.exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "sysStart"With data: "c:\syswin.exe 1" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSets value: "sysBoot"With data: "<system folder>\syskernel.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunSets value: "sysStart"With data: "c:\syswin.exe 1" The worm writes other registry data. In subkey: HKCU\Software\AppleTech\StartupSets value: "Value"With data: "1"Spreads via...Removable and network drivesWorm:Win32/Autorun.AEA drops copies of itself in removable and network drives, for example:
  • <drive:>\new folder1.exe
  • <drive:>\syskernel.exe
The worm writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Worm:Win32/Autorun.AEA changes the file attributes of all of its dropped copies in the root directory of the targeted drive to 'system', 'hidden' and 'read-only'.

Payload
Terminates Windows utility applicationsWorm:Win32/Autorun.AEA terminates the following applications and prevents them from executing:
  • taskmgr.exe - Windows Task Manager
  • msconfig.exe - Microsoft Config Utility
  • regedit.exe - Registry Editor
Renames filesThis worm searches for all files having the file extensions ".jpg", ".emb" and ".dst". If a file is located, the worm renames the file extension to ".gif", ".ini" or ".ocx". For example, the worm might rename "file.jpg" to "file.gif", or "file.dst" to "file.ini".

Analysis by Edgardo Diaz

Last update 30 January 2012

 

TOP

Malware :

Family: