Autoit.DM [Norman] is a very virulent worm, i.e. it self-replicates without any user interaction once infection has occurred. The infection vectors are any portable storage devices/ network shares/ OS takeover and file-system infection. Essential OS processes are controlled; which prevents interaction with the logged in user, and thus taking over the ‘host’ which itself becomes a vector if any resources are shared by the system.
Kaspersky 184.108.40.206 2010.09.15 Trojan.Win32.Autoit.xb
McAfee 5.400.0.1158 2010.09.15 Artemis!8916B4391489
Microsoft 1.6103 2010.09.15 Trojan:Win32/Bumat!rts
Ikarus T220.127.116.11.0 2010.09.15 IM-Worm.Win32.Sohanad
· It drops a copy of itself in the local drives/removable drives with a ‘suck.exe’/’suck.is.here.exe’ file, to spread on initial execution.
· Copies itself to all system directories and inner folders through recursive directory traversal, as ‘suck.scr’/’suck.is.here.scr’- primarily, with folder icons-that make it susceptible to spreading by clicking on it if the user is not aware of this threat.
· Other .scr extensioned infection vectors use the current folder name the malware is in , as a possible infection decoy which seem like legitimate files/folders/even registry keys. If ‘show hidden files/folders’/’show known file extensions’ folder options are disabled then infection continues unabated to any folder/network share/portable storage system.
· Specific executables are dropped which control system access to essential processes on the infected system.
Autoit.DM drops 590 files on initial execution including these primary payloads, most of them are exact copies of the parent file, which can be verifies by the equivalent MD5 hashes of all the executables:
· c:\Documents and Settings.scr
All files have a .scr extension which is the windows screensaver extension. It is a PE file. Temp folders have payloads with a .dmp extension.
The following executables are dropped in the ‘C:\WINDOWS\’/’C:\WINDOWS\Prefetch\’ directories.
These executables start as executable processes and then take over/disable features of the OS and periodically give ‘error’ messages, in the form of message boxes. All these error messages are stored in the executable which are unpacked during execution (UPX 3 used, but gives an overlay error on unpacking-indicating customization of the packing/unpacking algorithm).
The executable payloads are:
· System crashes on initial execution-BSOD (which gives a potential crash dump analysis candidate. The system restarts-the default setting on a crash in XP OS). And subsequent crashing regularly thereafter.
· File system access terminated.
· Application execution terminates.
· USB port is used for file propagation.
· Recurring error messages.
· OS specific services-services.msc/GPedit.msc/Regedit.exe etc. all are denied user access/interaction.
· Optical writers are sent cached files of the worm for burning (a collateral payload not particularly targeting optical media-but automated burning systems will effectively be burning infected files, if left undetected/ or cached).
Propagation/Infection through the registry:
10 new registry values are added (some changed). These payloads are further described below:
1.] Executes suck.exe on booting in safe mode; instead of cmd.exe.
Old data: cmd.exe
New data: C:\WINDOWS\suck.exe
2.] Executes suck.exe on login instead of explorer.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell”
Old data: Explorer.exe
New data: C:\WINDOWS\explorer.exe “suck.exe”
3.] Changes file association with screensaver files to folder objects.
Old data: Screen Saver
New data: File Folder
4.] File extensions are forcibly hidden (this acts as a deceiving mechanism to fool users into thinking that the folders are usual folder objects and not executables. A basic, but effective deploying mechanism when other complementing techniques are implemented).
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00
5.] Executes suck.exe on boot, installing required resources as well.
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache “C:\Documents and Settings\norman\Desktop\bluck.exe”
6.] This changes the file icons to folder icons(decoy as a non-executable).
Propagation through Windows Explorer usage:
This file is dropped at the root ‘C:\’ directory. This ensures that any access point through this gateway will re-execute the files given below.
The autorun file contains:
This highly resilient strain is a very destructive and disruptive malware. The payloads being typical of a worm/Trojan. It utilises social engineering tricks and relentless self-replication along with OS control and its subsequent crashing, which can lead to loss of important data on the infected systems.
Most AV vendors recognise this threat and are able to disinfect the system to a degree.
Online descriptions of this malware are sparse.
Removal would involve deletion of all the listed executables- with a special attention to the .scr extension.
Since, the MD5 hashes are the same for most payload files in this strain; a hash signature based detection will be effective.
The autorun.ini file must be deleted.
The effected registry keys must be restored/ deleted as required.
Since the system is very unresponsive when infected, its unlikely that AV software would execute properly. Hence, a boot time scan/ linux based scan of the infected drives can be a effective method which would render the malware sterile, easing the removal process.
We noted that even safemode is taken over by the worm, along with the logon process in normal booting. Hence, its not safe to remove on the running infected OS.
[Sandbox Report Below.]