Home / malware Worm:Win32/Autorun.XV
First posted on 01 June 2010.
Source: SecurityHomeAliases :
Worm:Win32/Autorun.XV is also known as TR/Proxy.JF (Avira), Troj/Proxy-JF (Sophos), Trojan.Win32.AutoIt.gen.1 (Sunbelt Software).
Explanation :
Worm:Win32/Autorun.XV is a worm that drops multiple copies of itself in the computer. Some of its copies are dropped in removable drives; on computers that have Autorun enabled, the worm copies are automatically run every time the drive is accessed. Some of its copies are dropped in shared folders of peer-to-peer (P2P) programs; on computers that have running P2P programs, this causes the worm to be downloaded by other remote users.
Top
Worm:Win32/Autorun.XV is a worm that drops multiple copies of itself in the computer. Some of its copies are dropped in removable drives; on computers that have Autorun enabled, the worm copies are automatically run every time the drive is accessed. Some of its copies are dropped in shared folders of peer-to-peer (P2P) programs; on computers that have running P2P programs, this causes the worm to be downloaded by other remote users. Installation Upon execution, Worm:Win32/Autorun.XV drops the following copies of itself: Under <system folder>: 587.dll .exe ominiu.exe 25.dll .exe Under %USERPROFILE%: ominiu.exe Under %ProgramFiles%\Internet Explorer\mui: bcv.exe Under %ProgramFiles%\Common Files\System: ret.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Worm:Win32/Autorun.XV creates the following registry entry so that one of its copies automatically runs every time Windows starts: Adds value: "WinRegisterDLL" With data: "<system folder>\587.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also drops the following files, which are also detected as Worm:Win32/Autorun.XV: %Temp%\aute.tmp %Temp%\autf.tmp <system folder>\svchosts32.exe %ProgramFiles%\Common Files\System\svchosts32.exe Worm:Win32/Autorun.XV then executes the following copies: bcv.exe ominiu.exe ret.exe svchosts32.exe The files "ominiu.exe" and "ret.exe" may do the following:Drop two copies of itself as the following: <system folder>\<3 digits>.dll .exe (for example, "798.dll .exe") <system folder>\<3 digits>.dll .exe (for example, "679.dll .exe")Modify the following registry entry to load itself at startup: Adds value: "WinRegisterDLL" With data: "<system folder>\<3 digits>.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run The file "bcv.exe" may do the following:Drop two copies of itself as the following: <system folder>\<2 digits>.dll .exe <system folder>\<3 digits>.dll .exeModify the following registry entry to load itself at startup: Adds value: "WinRegisterDLL" With data: "<system folder>\<2 digits>.dll .exe" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Spreads via... Removable drives Worm:Win32/Autorun.XV drops the following copies of itself:Under C: and all removable drives: ominiu.exe windriveexplorer.exeUnder C: and D: and all removable drives, %windir%, and C:\shared: mypasswords.txt .exe cod4_setup.exe 52038.exe It also drops the file "autorun.inf" in C: and all removable drives. This INF file is designed to automatically run a worm copy when the drive is accessed and Autorun is enabled on the computer. Peer-to-peer programs Worm:Win32/Autorun.XV drops the following copies of itself:bf2.exe wow+keygen.exe botnetadmin.exe sex411.txt .exe under the following folders, if the P2P program (Kazaa, KMD, Morpheus, Grokster, or Edonkey) is installed in the computer:%ProgramFiles%\kazaa lite\my shared folder %ProgramFiles%\kmd\my shared folder %ProgramFiles%\morpheus\my shared folder %ProgramFiles%\grokster\my grokster %ProgramFiles%\edonkey2000\incoming If the P2P program is used, the worm copies are shared to and may be downloaded by other remote users.
Analysis by Andrei Florin SaygoLast update 01 June 2010
