Autoit.DM

 

 

Summary

Autoit.DM [Norman] is a very virulent worm, i.e. it self-replicates without any user interaction once infection has occurred. The infection vectors are any portable storage devices/ network shares/ OS takeover and file-system infection. Essential OS processes are controlled; which prevents interaction with the logged in user, and thus taking over the ‘host’ which itself becomes a vector if any resources are shared by the system.

Aliases

Kaspersky 7.0.0.125 2010.09.15 Trojan.Win32.Autoit.xb

McAfee 5.400.0.1158 2010.09.15 Artemis!8916B4391489

Microsoft 1.6103 2010.09.15 Trojan:Win32/Bumat!rts

Ikarus T3.1.1.88.0 2010.09.15 IM-Worm.Win32.Sohanad

Spreading Description

· It drops a copy of itself in the local drives/removable drives with a ‘suck.exe’/’suck.is.here.exe’ file, to spread on initial execution.

· Copies itself to all system directories and inner folders through recursive directory traversal, as ‘suck.scr’/’suck.is.here.scr’- primarily, with folder icons-that make it susceptible to spreading by clicking on it if the user is not aware of this threat.

· Other .scr extensioned infection vectors use the current folder name the malware is in , as a possible infection decoy which seem like legitimate files/folders/even registry keys. If ‘show hidden files/folders’/’show known file extensions’ folder options are disabled then infection continues unabated to any folder/network share/portable storage system.

· Specific executables are dropped which control system access to essential processes on the infected system.

 

Threat Description

Autoit.DM drops 590 files on initial execution including these primary payloads, most of them are exact copies of the parent file, which can be verifies by the equivalent MD5 hashes of all the executables:

· c:\4ri3f_c00ls13.exe

· c:\AutoRun.inf

· c:\Documents and Settings.scr

· c:\fUCK!america.scr

· c:\hello.mr.IT.scr

· c:\Made.in.INDONESIA.scr

· c:\suck.exe

· c:\suck.is.here.exe

· c:\suck.scr

All files have a .scr extension which is the windows screensaver extension. It is a PE file. Temp folders have payloads with a .dmp extension.

The following executables are dropped in the ‘C:\WINDOWS\’/’C:\WINDOWS\Prefetch\’ directories.

c:\WINDOWS\NetWork.exe

c:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf

c:\WINDOWS\Prefetch\INTELLISENSE.EXE-33A1EA3D.pf

c:\WINDOWS\Prefetch\NETWORK.EXE-08B46E22.pf

c:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf

c:\WINDOWS\Prefetch\SUCK.EXE-345DADCD.pf

c:\WINDOWS\Prefetch\TERMINATE.EXE-2A04C819.pf

c:\WINDOWS\Prefetch\USB.EXE-1CF84311.pf

These executables start as executable processes and then take over/disable features of the OS and periodically give ‘error’ messages, in the form of message boxes. All these error messages are stored in the executable which are unpacked during execution (UPX 3 used, but gives an overlay error on unpacking-indicating customization of the packing/unpacking algorithm).

The executable payloads are:

· System crashes on initial execution-BSOD (which gives a potential crash dump analysis candidate. The system restarts-the default setting on a crash in XP OS). And subsequent crashing regularly thereafter.

· File system access terminated.

· Application execution terminates.

· USB port is used for file propagation.

· Recurring error messages.

· OS specific services-services.msc/GPedit.msc/Regedit.exe etc. all are denied user access/interaction.

· Optical writers are sent cached files of the worm for burning (a collateral payload not particularly targeting optical media-but automated burning systems will effectively be burning infected files, if left undetected/ or cached).

Propagation/Infection through the registry:

10 new registry values are added (some changed). These payloads are further described below:

Registry changes:

1.] Executes suck.exe on booting in safe mode; instead of cmd.exe.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot “AlternateShell”

Old data: cmd.exe

New data: C:\WINDOWS\suck.exe

2.] Executes suck.exe on login instead of explorer.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell”

Old data: Explorer.exe

New data: C:\WINDOWS\explorer.exe “suck.exe”

3.] Changes file association with screensaver files to folder objects.

HKEY_CLASSES_ROOT\scrfile “(Default)”

Old data: Screen Saver

New data: File Folder

4.] File extensions are forcibly hidden (this acts as a deceiving mechanism to fool users into thinking that the folders are usual folder objects and not executables. A basic, but effective deploying mechanism when other complementing techniques are implemented).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “HideFileExt”

Old data: 00, 00, 00, 00

New data: 01, 00, 00, 00

Registry Additions:

5.] Executes suck.exe on boot, installing required resources as well.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “suck”

Type: REG_SZ

Data: C:\WINDOWS\suck.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot “AlterNateShell”

Type: REG_SZ

Data: C:\WINDOWS\suck.exe

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache “C:\Documents and Settings\norman\Desktop\bluck.exe”

Type: REG_SZ

Data: bluck

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache “C:\WINDOWS\system32\ntvdm.exe”

Type: REG_SZ

Data: NTVDM.EXE

HKEY_CLASSES_ROOT\.suck “(Default)”

Data: suckfile

 

 

6.] This changes the file icons to folder icons(decoy as a non-executable).

HKEY_CLASSES_ROOT\suckfile\DefaultIcon “(Default)”

Data: %SystemRoot%\system32\shell32.dll,-152

Propagation through Windows Explorer usage:

This file is dropped at the root ‘C:\’ directory. This ensures that any access point through this gateway will re-execute the files given below.

The autorun file contains:

[AutoRun]

open=suck.exe

shell\open\Command=suck.exe

shell\open\Default=1

shell\explore\Command=suck.exe

________________________

Conclusion:

This highly resilient strain is a very destructive and disruptive malware. The payloads being typical of a worm/Trojan. It utilises social engineering tricks and relentless self-replication along with OS control and its subsequent crashing, which can lead to loss of important data on the infected systems.

Removal:

Most AV vendors recognise this threat and are able to disinfect the system to a degree.

Online descriptions of this malware are sparse.

Removal would involve deletion of all the listed executables- with a special attention to the .scr extension.

Since, the MD5 hashes are the same for most payload files in this strain; a hash signature based detection will be effective.

The autorun.ini file must be deleted.

The effected registry keys must be restored/ deleted as required.

Since the system is very unresponsive when infected, its unlikely that AV software would execute properly. Hence, a boot time scan/ linux based scan of the infected drives can be a effective method which would render the malware sterile, easing the removal process.

We noted that even safemode is taken over by the worm, along with the logon process in normal booting. Hence, its not safe to remove on the running infected OS.

[Sandbox Report Below.]

Norman Sandbox Report:

Using profile default.ini

OK;Application;15611684;15611684;;1;YES;OK;C:\Users\vic\Desktop\bluck.exe;291023;PE_I386;UPX 0.89.6/1.02/1.05/1.24

====> Sandbox output:

[ DetectionInfo ]

* Filename: C:\Users\vic\Desktop\bluck.exe.

* Sandbox name: .

* Signature name: NOT_SCANNED.

* Compressed: YES.

* TLS hooks: NO.

* Executable type: Application.

* Executable file structure: OK.

* Filetype: PE_I386.

[ General information ]

* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO – REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.

* Decompressing UPX3.

* File length: 291023 bytes.

* MD5 hash: 8916b43914895aafc3410e2b7dbf224c.

* SHA1 hash: 9f5f0f0f00e5875d5bddd1dacdd065beebb35fe5.

* Packer detection: UPX 0.89.6/1.02/1.05/1.24.

[ Changes to registry ]

* Accesses Registry key “HKCU\Software\AutoIt v3\AutoIt”.

Files checked : 1

Files OK : 1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s