Home / malwarePDF  

Worm:Win32/Folstart.A


First posted on 11 March 2020.
Source: Microsoft

Aliases :

Worm:Win32/Folstart.A is also known as Win32/Folstart.A, Worm.Win32.AutoRun.tic, Rotinom.

Explanation :

Worm:Win32/Folstart.A is a worm that spreads through removable drives and modifies some system settings.

Installation

Upon execution, Worm:Win32/Folstart.A creates a copy of itself as the following file:

%APPDATA%Startupdate.exe

Copying the file to this location also enables it to execute at each Windows start.

Worm:Win32/Folstart.A also creates the following hidden folders:

%APPDATA%S-1-5-31-1286970278978-5713669491-166975984-320dmc %APPDATA%S-1-5-31-1286970278978-5713669491-166975984-320Rotinom %APPDATA%S-1-5-31-1286970278978-5713669491-166975984-320 lsr

Worm:Win32/Folstart.A also uses a folder icon as its file icon:

Spreads Via...

Removable drives
Worm:Win32/Forstart.A queries the following registry entry to determine if any, and if so how many, USB devices are connected to the computer:

HKLMSYSTEMCurrentControlSetServicesUSBSTOREnum

If a USB device is found, the worm searches the drive for folders that may exist and copies itself to the drive using the same name as the folder, without an extension. For example, if the USB drive has a folder named "New Folder", then the worm copies itself in the USB drive as an executable named "New Folder", without an extension. In combination with using a folder icon as its file icon, the worm does this to mislead users into running its copy, thinking it is the folder.

It also creates the following hidden folders on the USB drive:

Usb 2.0 DriverS-1-5-31-1286970278978-5713669491-166975984-320dmc Usb 2.0 DriverS-1-5-31-1286970278978-5713669491-166975984-320 lsr Payload

Modifies system settings
Worm:Win32/Folstart modifies system settings by making a number of registry modifications.

Sets the following so that hidden files are not shown in Windows Explorer:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "Hidden"
With data: "2" Sets the following in order to hide file extensions when files are viewed using Windows Explorer:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "HideFileExt"
With data: "1" Sets the following so that hidden operating system files are not displayed in Windows Explorer:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Sets value: "ShowSuperHidden"
With data: "0"

Analysis by Amir Fouda

Last update 11 March 2020

 

TOP

Malware :

Family: