Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.Win32.AutoRun.bnb

Detection added Jan 07 2008 06:44 GMT
Update released Jan 07 2008 10:10 GMT
Description added Oct 07 2008
Behavior Internet Worm

Technical details

This worm propagates by creating copies of itself on local disks and write-accessible network resources. It is a Windows PE EXE file. It is 46592 bytes in size. It is packed using UPX. The unpacked file is approximately 107MB in size.

Installation

The worm copies its executable file to the Windows system directory:

%System%\<rnd1>[<rnd2>].exe, with <rnd1> and <rnd2> being random numbers

In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rising" = "<path to worm file>"

The worm extracts a rootkit library from its body and saves it to the Windows temporary directory:

%Temp%\Bug2.tmp - this file is 12800 bytes in size. It will be detected by Kaspersky Anti-Virus as Worm.Win32.AutoRun.ll;

This files masks the worm process in the system.

Propagation

The worm copies its executable file to the root of each drive as follows:

<X>:\<:rnd1>[<rnd2>].exe, with <rnd1> and <rnd2> being random numbers and X being the drive

In addition to its executable file, the worm also places the file shown below in the root directory of every disk:

<x>:\autorun.inf

This file will launch the worm's executable file each time the user opens the infected disk using Explorer.

Payload

The worm modifies the following system registry key parameter to make it impossible to write to it:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0

The worm contains a Trojan component designed to steal account data for the online game Perfect World. The program searches the system for a process called "elementclient.exe". If it finds this process, it searches the directory for the following file:

userdata\currentserver.ini

It then harvests the following parameter values:

CurrentGroup
Server
CurrentServer
CurrentServerAddress

It also reads the "elementclient.exe" process memory and harvests the following variables:

  • User name
  • Password
  • Sum of virtual money

Harvested data is sent in an HTTP request to the following servers:

***uxian.com.cn
***ulin2.cn
***2i.com.cn
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following system registry key parameter:
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Rising" = "<path to worm file>"
  4. Delete the copy of the worm from all removable disks:
    <X>\<rnd1>[<:rnd2>].exe
    <X> stands for the letter of the removable disk.
  5. Empty the temporary directory (%Temp%).
  6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com