Content

W32/Autorun.worm.ct

Type
Virus
SubType
Worm
Discovery Date
05/23/2008
Length
Minimum DAT
5302 (05/23/2008)
Updated DAT
5478 (12/29/2008)
Minimum Engine
5.2.00
Description Added
05/23/2008
Description Modified
08/18/2008 7:01 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Autorun.worm.ct is an autorun worm which spreads by placing a copy of itself into system drives. It detects the presence of USB drives and if found makes a copy of itself by the name of "CSRSS.exe" on the drive along with a reference in an "autorun.inf". In this way, everytime a user clicks on a drive, it loads up and attempts to spread.

These are general defaults for typical path variables. (Although they may differ, these examples are common.):

  • %UserProfile% = \Documents and Settings\Administrator
  • %AllUserProfile% = \Documents and Settings\All Users
  • %AppData% = \Documents and Settings\Administrator\Application Data
  • %CommonProgramFiles% = \Program Files\Common Files
  • %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
  • %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

The following files have been added to the system:

  • %WinDir%\autorun.inf
  • %WinDir%\csrss.exe
  • %WinDir%\home video.avi.exe
  • %WinDir%\system.exe

Similar files have also been observed under root drives such as "C:\" and of other USB drives

  • %UserProfile%\Desktop\autorun.inf
  • %UserProfile%\SendTo\Ahsan's Document.mydocs
  • %AllUserProfile%\Start Menu\Programs\Startup\winlogon.exe

The following registry elements have been created:

  • HKEY_CURRENT_USER\software\policies\microsoft\windows\system\
    • disablecmd = 1
  • HKEY_LOCAL_MACHINE\software\classes\.au3\
    • (default) = exefile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}
    • Default = "Ahsan's Document"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
    • Default = "G.W.Bush"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}
    • Default = "Ahsan's Places"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • Default = "Ahsan's Computer"

    The following registry elements have been changed:

  • HKEY_CURRENT_USER\software\microsoft\internet explorer\main\
    • start page = "hxxp://amkbpk.[Removed].com/ "
    • window title = "Ahsan manan khan bhutta * internet explorer * "
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\
    • hidefileext = 1
    • showsuperhidden = 0
    • start_showrun = 0
    • superhidden = 0
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
    • runonce = %WinDir%\CSRSS.exe
  • HKEY_LOCAL_MACHINE\software\classes\.bat\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.cmd\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.com\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.reg\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.vbs\
    • (default) = exefile
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\
    • shell = explorer.exe, system.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\
    • checkedvalue = 0

    Symptoms

    Presence of Autorun.inf files in the above mentioned folders with references to csrss.exe and other above mentioned files and registry entries

    Method of Infection

    Spreads via USB drives

    Removal

    Use the latest Engine/Dats

    Variants

    Variants

      N/A

    All Information

    Overview -

    W32/Autorun.worm.ct is a classification of a worm which speards via USB drives

    Characteristics

    Characteristics -

    W32/Autorun.worm.ct is an autorun worm which spreads by placing a copy of itself into system drives. It detects the presence of USB drives and if found makes a copy of itself by the name of "CSRSS.exe" on the drive along with a reference in an "autorun.inf". In this way, everytime a user clicks on a drive, it loads up and attempts to spread.

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):

    • %UserProfile% = \Documents and Settings\Administrator
    • %AllUserProfile% = \Documents and Settings\All Users
    • %AppData% = \Documents and Settings\Administrator\Application Data
    • %CommonProgramFiles% = \Program Files\Common Files
    • %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
    • %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)

    The following files have been added to the system:

    • %WinDir%\autorun.inf
    • %WinDir%\csrss.exe
    • %WinDir%\home video.avi.exe
    • %WinDir%\system.exe

    Similar files have also been observed under root drives such as "C:\" and of other USB drives

    • %UserProfile%\Desktop\autorun.inf
    • %UserProfile%\SendTo\Ahsan's Document.mydocs
    • %AllUserProfile%\Start Menu\Programs\Startup\winlogon.exe

    The following registry elements have been created:

  • HKEY_CURRENT_USER\software\policies\microsoft\windows\system\
    • disablecmd = 1
  • HKEY_LOCAL_MACHINE\software\classes\.au3\
    • (default) = exefile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}
    • Default = "Ahsan's Document"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
    • Default = "G.W.Bush"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}
    • Default = "Ahsan's Places"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • Default = "Ahsan's Computer"

    The following registry elements have been changed:

  • HKEY_CURRENT_USER\software\microsoft\internet explorer\main\
    • start page = "hxxp://amkbpk.[Removed].com/ "
    • window title = "Ahsan manan khan bhutta * internet explorer * "
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\
    • hidefileext = 1
    • showsuperhidden = 0
    • start_showrun = 0
    • superhidden = 0
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
    • runonce = %WinDir%\CSRSS.exe
  • HKEY_LOCAL_MACHINE\software\classes\.bat\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.cmd\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.com\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.reg\
    • (default) = txtfile
  • HKEY_LOCAL_MACHINE\software\classes\.vbs\
    • (default) = exefile
  • HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\
    • shell = explorer.exe, system.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\
    • checkedvalue = 0

    Symptoms

    Symptoms -

    Presence of Autorun.inf files in the above mentioned folders with references to csrss.exe and other above mentioned files and registry entries

    Method of Infection

    Method of Infection -

    Spreads via USB drives

    Removal -

    Removal -

    Use the latest Engine/Dats

    Variants

    Variants -

      N/A