Worm.Win32.Autorun.hfp

From Total Malware Info

Worm that spreads own copies on the user’s hard drive and through removable drives. It is a Windows application (PE-EXE file). Its size is 303,104 bytes. It is written in C++.

MD5: 7CB3DF16C623188729722859A36AAC76

SHA1: 9F8BF601AC2DCBED20E8D4C3D87E185DB27CCDEF

Installation

Once launched, the worm copies its body to the following files:

%Program  Files%\Windows Common Files\Commgr.exe
%Program  Files%\Windows Alerter\WinAlert.exe
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe

The attributes "hidden" and "system" are set to this files.

To automatically start the copies every time you start the system the worm creates the system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe"

In addition, the worm disables the display of hidden and system files/directories, as well as display the extensions for registered file types in Windows Explorer. For this purpose it changes the values of the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
"SuperHidden" = "0"
"HideFileExt" = "1"

Spread Through Removable Devices

The worm сopies its executable file to all writable removable drives connected to the victim's computer:

<the infected partition's name>:\RECYCLER\<rnd>.exe

where <rnd> - a random string of letters (for example: "UxVgOoS").

Also the script "Autorun.inf" is created in the root directory of an infected disk:

<the infected partition's name>:\Autorun.inf

This script contains the following strings:

[Autorun]
Open=RECYCLER\<rnd>.exe
Explore=RECYCLER\<rnd>.exe
AutoPlay=RECYCLER\<rnd>.exe
shell\Open\Command=RECYCLER\<rnd>.exe
shell\Open\Default=1
shell\Explore\command=RECYCLER\<rnd>.exe
shell\Autoplay\Command=RECYCLER\<rnd>.exe

Also it creates the file on infected disk:

<the infected partition's name>:\RECYCLER\dEsKtOp.InI

This file contains the following strings:

[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

In addition, the worm applies the "hidden" attribute to all directories in the root of an infected removable disk. After that the worm creates copies of its executable on this disk under hidden directories' names.

Payload

Once launched, the worm performs the following actions:

• It extracts from its body the following files:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342 (102266 bytes)
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\wndsvc.dll (4 bytes)

The attributes "hidden" and "system" are set to this files.

• It executes all created copies. The worm monitors a list of running processes in the system. If there is no running process of at least one copy of the malware, all its copies will be restarted.
• In a separate thread it terminates the process of the Windows Task Manager ("taskmgr.exe").
• In a separate thread it monitors a user keyboard input. The collected data is stored to file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info

• In a separate thread every 2 seconds it performs the actions described in the Installation section.
• In an endless loop every 5 seconds it copies the contents of the file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342

to the file:

<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\OnlyDbv.jpg

After that, it opens the file "OnlyDbv.jpg", preventing its removal.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Restart the computer in "Safe Mode" (at the beginning of loading press and hold «F8», then select «Safe Mode» at the Windows boot menu).

2. Delete the following files:

%Program  Files%\Windows Common Files\Commgr.exe
%Program  Files%\Windows Alerter\WinAlert.exe
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe
<the infected partition's name>:\RECYCLER\<rnd>.exe
<the infected partition's name>:\Autorun.inf
<the infected partition's name>:\RECYCLER\dEsKtOp.InI
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\bnf0342
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\wndsvc.dll
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\info
<system drive>:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\OnlyDbv.jpg

3. Delete the original worm's file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

4. Delete copies created by the worm on infected removable drives.

5. Delete the system registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowMessenger" = "<system drive>\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"
"Windows Alerter" = "%Program  Files%\Windows Alerter\WinAlert.exe"
"Windows Common Files Manager" = "%Program  Files%\Windows Common Files\Commgr.exe"

6. Restore the original registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
"ShowSuperHidden" = "0"
"SuperHidden" = "0"
"HideFileExt" = "1"

7. Perform a full system scan with an antivirus with updated databases.