Worm.Win32.AutoRun.beot

From Total Malware Info

Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file). It is 47733 bytes in size. It is packed by FSG. Unpacked file size is about 160 Kb. It is written in Delphi.

MD5: 950828248CEE2A08086B2207C5ED8516

SHA1: 8CE4CC71EAB155C2F0075B27287D7DE625A201A2

Installation

Once launched, the worm copies its body to a system disk of a user’s computer.

To ensure that the copy created is launched automatically each time the system is rebooted, the following registry key is created:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Propagation

The worm copies its body at all writable removable disks connected to the infected computer. The file "AutoRun.inf" is created together with a copy at the root of an infected disk. It provides for a copy to run each time a user opens an infected removable disk using "Explorer".

Payload

The worm has the following functional:

• terminates processes:

360rpt.exe
360Safe.exe
360safebox.exe
360tray.exe
AgEntSvr.exe
AntiArp.exe
AppSvc32.exe
Arvmon.exe
AutoGuarder.exe
Autoruns.exe
Avgrssvc.exe
AvMonitor.exe
Avp.com
Avp.exe
CCEnter.exe
ccSvcHst.exe
HiJackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScr9cn.SCR
KASMain.exe
KASTask.exe
KAS42.exe
KASDX.exe
KASPFW.exe
KASSetup.exe
KISLnchr.exe
KMailMon.exe
KPFW42.exe
KPFW42X.exe
KPFWSvc.exe
KRepair.COM
KVCEnter.kxp
KvDetEct.exe
kvfw.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KV9can.kxp
KV9rvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
MagicSet.exe
mmqczj.exe
mmsk.exe
NAVSetup.exe
nod32krn.exe
nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStore.exe
RavStub.exe
ravt08.exe
RavTask.exe
RegClean.exe
RegEx.exe
rfwcfg.exe
RfwMain.exe
rfwolusr.exe
rfwProxy.exe
rfwsrv.exe
RsAgEnt.exe
RsMain.exe
runiep.exe
safebank.exe
safelive.exe
scan42.exe
9canFrm.exe
shcfg42.exe
SREng.exe
SREngPS.exe
symlcsvc.exe
syscheck.exe
Syscheck2.exe
SysSafe.exe
UmxAgEnt.exe
UmxCfg.exe
UmxPol.exe
UpLive.exe
LiveUpdate360.exe

• Blocks running of these processes by creating the following registry keys:

 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<Application name>]
"debugger"

where <Application name> - is process names from the list above.

• Modifies the hosts file:

%System%\drivers\etc\hosts

• Blocks addressing the following resources:

www.360.cn
www.360safe.cn
www.360safe.com
www.chinakv.com
www.rising.com.cn
www.jiangmin.com
www.duba.net
www.eset.com.cn
www.nod32.com
www.shadu.duba.net
union.kingsoft.com
www.kaspersky.com.cn
www.virustotal.com
www.virscan.org
www.kaspersky.com
www.lanniao.org
www.nod32club.com
www.dswlab.com
bbs.sucop.com
tool.ikaka.com
qihoo.com
www.kafan.cn8

• Sends to a malicious server information about the system:

- IP-address of an infected computer;

- physical address of an active network adapter;

- OS version.

• According to received from a server links an attacker can upload files, storing them in a temporary files folder of the current user "%Temp%".
• In the course of its work the worm may connect to the following servers:

down.t***ai.com
208.***.210.29

• The embedding of malicious code into an address space of the following processes is possible:

smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe

Removal instruction

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Perform a full system scan with an antivirus with updated databases.