Worm.Win32.AutoRun

Detect Date 06/30/2010
Class Worm
Platform Win32
Description

The worm loads the .dll file to all active processes.

The worm also intercepts mouse and keyboard events if one of the processes listed below has been launched:

maplestory.exe

dekaron.exe

gc.exe

RagFree.exe

Ragexe.exe

ybclient.exe

wsm.exe

sro_client.exe

so3d.exe

ge.exe

elementclient.exe

The worm harvests account data relating to the following games:

ZhengTu

Wanmi Shijie or Perfect World

Dekaron Siwan Mojie

HuangYi Online

Rexue Jianghu

ROHAN

Seal Online

Maple Story

R2 (Reign of Revolution)

Talesweaver

Harvested data is sent to the remote malicious user’s site.

The worm also modifies the following system registry key parameter values:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol
derHiddenSHOWALL]

“CheckedValue” = “0”

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced]

“Hidden” = “2”

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced]

“ShowSuperHidden” = “0”

[HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer]

“NoDriveTypeAutoRun” = “0x91”

For example Worm.Win32.AutoRun.beot:

Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file). It is 47733 bytes in size. It is packed by FSG. Unpacked file size is about 160 Kb. It is written in Delphi.

Installation

Once launched, the worm copies its body to a system disk of a user’s computer.

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry key is created:

[HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]

Propagation

The worm copies its body at all writable removable disks connected to the infected computer. The file “AutoRun.inf” is created together with a copy at the root of an infected disk. It provides for a copy to run each time a user opens an infected removable disk using “Explorer”.