Trojan.Win32.Autoit

Detect Date 02/08/2003
Class Trojan
Platform Win32
Description

Once launched, the Trojan performs the following actions:

  • It attempts to connect to the following HTTP servers:
    87.***.14
    
    
    
    69.***.224
    
    
    
    
  • It creates the directory:
    
    
    
    %System%<rnd>

    where <rnd> is a random five-digit decimal number.

  • It extracts a file from its body and saves it in the system as:
    %System%<rnd>svchost.exe

    (525 312 bytes; detected by Kaspersky Anti-Virus as “not-a-virus:Monitor.Win32.Ardamax.ae”)

  • It launches the extracted file for execution.
  • It modifies the values of the following system registry keys:
    
    
    
    [HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
    
    
    
    "NofolderOptions" = 0
    
    
    
    
    
    
    
    [HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
    
    
    
    "DisableTaskMgr" = 0
    
    
    
    
    
    
    
    [HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
    
    
    
    "DisableRegistryTools" = 1
    
    
    
    

    The modification of the last key disables the registry editor.

  • It creates the file:
    
    
    
    %System%setup.ini (96 bytes)

    with the following content:

    
    
    
    [Autorun]
    
    
    
    Open=regsvr.exe
    
    
    
    Shellexecute=regsvr.exe
    
    
    
    ShellOpencommand=regsvr.exe
    
    
    
    Shell=Open
    
    
    
    
  • It launches the system command interpreter “cmd.exe” with the following parameters:
    /C AT /delete /yes

    This cancels all scheduled tasks in Windows Task Scheduler.

    /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %System%svchost.exe

Every day at 9:00, Windows Task Scheduler will launch a copy of the Trojan.