Virus Profile: W32/Autorun.worm.aabl

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/10/2011
Date Added: 3/10/2011
Origin: N/A
Length: varies
Type: Virus
Subtype: Worm
DAT Required: 6281
Removal Instructions
   
 
 
   

Description

W32/Autorun.worm.abbl is a worm, It is a DLL component which injects it’s code into the SPOOLSV.EXE process. The DLL component could further download more malicious components from the web and install them on an infected host.

Indication of Infection

  • The presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

W32/Autorun.worm.abbl is known to spread over open shares such as C$ and ADMIN$. If an open share is found, W32/Autorun.worm.abbl - related files are copied over to the share. Additionally, the malware has autorun capability via an autorun.inf file. The file "autorun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

   

Virus Characteristics

----- Updated on July 11, 2011 ----

Also the Worm connects to the following IP addresses.

    • 91.217.162.[removed]
    • 86.55.210.[removed]
    • 89.149.244.[removed]

-------

-------- Updated on Jun 21, 2011 ---------

File Information –

  • MD5   - D3F087605EECEECDF035EC3C071E6A63
  • SHA1 - 634E6CFCE86F75FCAD11918E12772B8A5A544CDC

Aliases –

  • Ikarus - Worm.Win32.Rorpian
  • NOD32 - Win32/AutoRun.Agent.ABH
  • Microsoft - Worm:Win32/Rorpian.gen!A
  • Symantec - W32.SillyFDC.BDP

Upon execution, the Worm injects into the legitimate process spoolsv.exe and connects to the IP Address 188.138.[removed] through port 80 to download other malicious files.

The worm copies itself into below mentioned location.

  • %Temp%\srv[random characters].tmp

Also it drops the following file.

  • %Temp%\ srv[random characters].ini
  • [Removable Drive:]\setup[4 random numbers].fon

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv[random characters]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\Security

The following registry values have been added.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv[random characters]\
    = "service"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\Security\
    Security  = [binary data]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\parameters\servicedll = "%Temp%\srv[random characters].tmp"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\
    Type = 0x00000020
    Start = 0x00000002
    ErrorControl = 0x00000001
    ImagePath = "%systemroot%\system32\svchost.exe -k netsvcs"
    DisplayName = "srv[random characters]"
    ObjectName = "LocalSystem"

It also modifies the following registry values. Adding itself to netsvcs Svchost group.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs = 
    'srv[random characters] 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN'

This malware drops copies of itself in any inserted usb disk, along with several lnk files pointing to this executable. Existing folders are also randomly selected and made hidden, with lnk files created with folder icons to mimick existing folders.

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes:
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [jmmittuexbdmvvnqwvihrnofxsb]
  • cr=qyntspuycbvpiwmemuwfdnqovnlq
  • [cexpclfpqxthfhvx]
  • rdidixgeixfvracksqpqokkxytiamccep=ujifuahvdtdwymxxdm
  • [kpnhpuudevnrwumwgmwtrduppdau]
  • cietpusgtvlulfhjnwkhdsemvittssuxtrjxn=jkgowqmcirbqdefpxxnmwoqnlbxoqfihhsyuu
  • [faerk]
  • y=xcigytp
  • [autOrUN]
  • actiON=oPeN
  • bjqtfcmxixtowwrifclsftkjvafe=iuvupptqygabpjaovykima
  • iCOn=%WINdIr%\sYsTeM32\sHElL32.DLL,4
  • rtikdaofdtqiicssyogtpgiihneepkogewhstnt=vymomiiasmosekfncsv
  • USEauTopLay=1
  • anoqbfoecqwivhfecf=dradywxnmnmxgwniwtomknsbxwdyqpjkor
  • OPEN=rUNDll32.EXe SEtup50045.fON,2ADF86
  • aojdstfqtwxerosvoyyhxxorb=tsfivfnwjmauxdennkfwi
  • SheLL\EXPLorE\coMmaND=ruNdLl32.EXE seTup50045.FOn,2adf86
  • iqhbvvuordsuwd=wruwgctfljinvtfctvfgfqvyq
  • SheLL\opEN\COMmanD=rUndLl32.Exe SeTUP50045.Fon,2adF86
  • wjix=tyf

Also it creates the following short cut files into the removable drives.

  • [Removable Drive:]\pornmovs.lnk
  • [Removable Drive:]\myporno.avi.lnk
  • [Removable Drive:]\setup[random characters].lnk

Note: [%Temp% - C:\Documents and Settings\UserName\Local Settings\Temp]

----Update on May 18, 2011-------

File Information –

  • MD5   - BD9AFF5AF4F00BBB9B6AEBB64093B199
  • SHA1 - CC8B696840720328D7358A5101FBB65EF3882593

Aliases –

  • Microsoft - Trojan:Win32/Meredrop
  • NOD32 - Win32/AutoRun.Agent.ABK
  • Symantec - Trojan.Zbot
  • Kaspersky - Net-Worm.Win32.Kolab.ylu

Upon execution, the Worm injects into the legitimate process spoolsv.exe and connects to the IP Address 195.14.[removed] through port 80 to download other malicious files.

The worm copies itself into below mentioned location:

  • %Temp%\srv[random characters].tmp

Also it drops the following file:

  • %Temp%\ srv[random characters].ini
  • [Removable Drive:]\setup[4 random numbers].fon

The following registry keys have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv[random characters]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\Security

The following registry values have been added.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv[random characters]\
    = "service"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\Security\
    Security  = path of the malware
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\parameters\servicedll = "%Temp%\srv[random characters].dll"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srv[random characters]\
    Type = 0x00000020
    Start = 0x00000002
    ErrorControl = 0x00000001
    ImagePath = "%systemroot%\system32\svchost.exe -k netsvcs"
    DisplayName = "srv[random characters]"
    ObjectName = "LocalSystem"

It also modifies the following registry values. Adding itself to netsvcs Svchost group.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs =  
    'srv[random characters] 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN'

This malware drops copies of itself in any inserted usb disk, along with several lnk files pointing to this executable. Existing folders are also randomly selected and made hidden, with lnk files created with folder icons to mimick existing folders.

This Trojan also attempts to create an autorun.inf file on the root of any accessible disk volumes.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [rrxxylnhsetrukwbkdxtdornbakcuveegqawio]
  • tgpmkbpcimabuahqfncaalixusu=uvxpojbkeetiqho
  • [ybsusw]
  • swbln=cldit
  • [attug]
  • voonrxdqvjcupusejrtbbabjynfptcxfiej=ggtvkiecseojtsdpqxvugrxtasiqntuyjprpy
  • [juhljkdkncuriqcapjqj]
  • antqxparvpvsrocqaiuijnninjkjulxkx=wgsjpwygibemvajufqfbnrkojxjmwtnenfwtan
  • [AUTOrUN]
  • aCTIon=oPEN
  • xejsbsrnlqfdboyriaar=nxorgmvjwhrrsuhlfoiawlpks
  • IcOn=%winDIr%\SYstem32\ShelL32.dLl,4
  • gom=emywsharhrkdvfptdfgnurqlxvnty
  • uSeauToPLay=1
  • yvkjppdygaorsdfevlhkxkoypuxsrhvssbns=ywbmj
  • oPEN=RundLL32.eXE SetUp50045.fon,8B2372
  • jhjibu=xiudbduuiouvhpyejhjuwlhurmvnbqtrvronirf
  • ShElL\ExplORe\cOMMaND=RundlL32.exE setUp50045.FON,8b2372
  • pausaikevmutkgscmobgqfyg=eyimkcfvqqensuhbpdslhsvawf
  • shelL\opEN\cOmMand=RuNdll32.exE sEtUp50045.fOn,8b2372
  • sdlonuugqmpsjuclmstncyfoicnhpbxjkhuyly=rbeepgnnpodpfajpviacagr

Also it creates the following short cut files into the removable drives:

  • [Removable Drive:]\pornmovs.lnk
  • [Removable Drive:]\myporno.avi.lnk
  • [Removable Drive:]\setup[random characters].lnk

Note: [%Temp% - C:\Documents and Settings\UserName\Local Settings\Temp]

-------------------------------------

----Update on Mar 23, 2011-------

Aliases -

  • Kaspersky - Worm.Win32.AutoRun.cedu
  • Symantec - W32.SillyFDC.BDP
  • Ikarus - Trojan.SuspectCRC
  • Microsoft - Trojan:Win32/Meredrop

W32/Autorun.worm.abbl is designed to download malicious files from websites controlled by the malware author. Upon execution, It drops a copy of itself to the users %TEMP% folder and loads the dropped DLL file in spoolsv.exe process's address space:

  • %TEMP%\srv[random characters].tmp

It may also create an ini file component:

  • %TEMP%\srv[random characters].ini

[Note: %Temp% is the users temp directory usually C:\Documents and Settings\[user name]\Local Settings\Temp\ ]

This malware registers itself as a service to start automatically after reboot. The following entries are added in the registry:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srv[random characters]

Type=0x20
Start=0x2
ErrorControl=0x1
ImagePath="%systemroot%\system32\svchost.exe -k netsvcs"
DisplayName="srv[3 Digits]"
ObjectName="LocalSystem"

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\srv3\parameters
    servicedll=" \\?\globalroot\Device\HarddiskVolume1\%Temp%\srv[random characters].tmp"

The following registry keys are created by this worm:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\srv[random characters]

It also modifies the following registry values. Adding itself to netsvcs Svchost group:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs:

'srv[random characters] 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN'

This malware drops copies of itself in any inserted usb disk, along with several lnk files pointing to this executable. Existing folders are also randomly selected and made hidden, with lnk files created with folder icons to mimick existing folders.

Dropped copies of the malware have .fon extension:

  • setup[4 random numbers].fon

Dropped lnk files may have the following name:

  • myporno.avi
  • setup[4 random number]
  • myporno.avi
  • pornmovs

clicking on these link files executes the dropped malware.

It also attempts to create an autorun.inf file on the root of any accessible disk volume

  • %RemovableDrive%\autorun.inf

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax inserted with junk codes.

[lejrxnhervyupccljtquknhaehuujhlxw]
o=sxcquiomu
[dnounbmkkhaywmwhbixacbhu]
numgstpksloipgtlpeqweqymvqnrs=hvffuy
[fy]
kjwtbkyqvpcydpnnonaumvmtddiaacwg=lhycxltwpglku
[tkmvjptufe]
tcqnojqwangcimgxamfhmobwpkhoxvnnvhsdv=qtfvgerwvfyuxfygnbnhebujpo
[autORun]
ActIon=OPen
itqgkkkfemrgkli=qvgfbvqxvvvyleolmsahie
IcOn=%WINdiR%\SYStem32\SHElL32.DLL,4
hxsqhfhlgam=ipreddcdfpgaiyylwgovnnfcyffcfvbtbabe
UseautoplaY=1
jekcxhpcy=urrbtceeliwpcwbolrejgliwxemfmkmk
opEn=rUndLL32.EXE setUP1644.fOn,2833f758
outpmwjnxssgilujifkibtpst=aooonuke
ShELL\ExpLOre\COMmand=rUNDLl32.Exe setup1644.FOn,2833f758
tbvduqxnjbgn=diwcuvkyjxtnfq
shEll\OPeN\CoMManD=RUnDLL32.EXe SETUP1644.Fon,2833f758
lbjuwqrudkqhqtimioqbwoxcvvwbx=qcaiftnaxfcgoriscambivdwtlryjwawt

The W32/Autorun.worm.aabl attempts to connect to the following remote sites:

  • 109.235.49.[Removed]
  • 178.32.189.[Removed]

It passes victim system's OS version information to the remote site and may download additional malwares or components. As of this writing the site it connects to are not available.

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95