Content

W32/Autorun.worm.dw

Type
Virus
SubType
Worm
Discovery Date
05/09/2008
Length
Varies
Minimum DAT
5293 (05/12/2008)
Updated DAT
5358 (08/11/2008)
Minimum Engine
5.2.00
Description Added
08/07/2008
Description Modified
11/21/2008 8:28 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

W32/Autorun.worm.dw was previously classified as Downloader-BIP . This Autorun worm has the ability to infect attached drives such as USBs when they are autodetected.

The following observations were made during the time of testing.

Files have been observed to be downloaded from the following domain:

  • hxxp://worldnews.ath.cx/update/[removed]

The following files were added

  • %SYSTEM%\[Random Named DLL File]
  • %SYSTEM%\mswmpdat.tlb
  • %SYSTEM%\winview.ocx

On execution, it adds the following registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg

The following key/value pairs were added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • default = %SYSTEM%\[Random Named DLL File]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
    • default =  "Java.Runtime.52"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • UpdateCheck = {8F147B28-EF39-44A0-B6EC-3CC6F2F08794}

The above keys allow injecting code into Explorer. The injected code tracks drives such as USB's. If a drive is detected, the worm creates an Autorun.inf file and copies the Random Named DLL to the drive with a new random name. The Autorun file refers this new random DLL's function "InstallM".  Everytime the drive is opened "InstallM" is executed which facilitates the worms spread.


 

Symptoms

Presence of the above Autorun.inf file with a reference to "InstallM".

Method of Infection

Auto detection of USB sticks may cause the DLL and autorun files to be copied to the USB

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update November 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/11/20/us_army_usb_ban/

--

 W32/Autorun.worm.dw has been observed to have worm like abilities to spread across drives

Characteristics

Characteristics -

W32/Autorun.worm.dw was previously classified as Downloader-BIP . This Autorun worm has the ability to infect attached drives such as USBs when they are autodetected.

The following observations were made during the time of testing.

Files have been observed to be downloaded from the following domain:

  • hxxp://worldnews.ath.cx/update/[removed]

The following files were added

  • %SYSTEM%\[Random Named DLL File]
  • %SYSTEM%\mswmpdat.tlb
  • %SYSTEM%\winview.ocx

On execution, it adds the following registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg

The following key/value pairs were added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • default = %SYSTEM%\[Random Named DLL File]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
    • default =  "Java.Runtime.52"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • UpdateCheck = {8F147B28-EF39-44A0-B6EC-3CC6F2F08794}

The above keys allow injecting code into Explorer. The injected code tracks drives such as USB's. If a drive is detected, the worm creates an Autorun.inf file and copies the Random Named DLL to the drive with a new random name. The Autorun file refers this new random DLL's function "InstallM".  Everytime the drive is opened "InstallM" is executed which facilitates the worms spread.


 

Symptoms

Symptoms -

Presence of the above Autorun.inf file with a reference to "InstallM".

Method of Infection

Method of Infection -

Auto detection of USB sticks may cause the DLL and autorun files to be copied to the USB

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A