W32/Autorun.worm.dw

W32/Autorun.worm.dw

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2008-08-07
-- Update November 21, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/11/20/us_army_usb_ban/

--

 W32/Autorun.worm.dw has been observed to have worm like abilities to spread across drives


Minimum Engine

5400.1158

File Length

Varies

Description Added

2008-08-07

Description Modified

2008-08-07

Malware Proliferation

W32/Autorun.worm.dw was previously classified as Downloader-BIP . This Autorun worm has the ability to infect attached drives such as USBs when they are autodetected.

The following observations were made during the time of testing.

Files have been observed to be downloaded from the following domain:

  • hxxp://worldnews.ath.cx/update/[removed]

The following files were added

  • %SYSTEM%\[Random Named DLL File]
  • %SYSTEM%\mswmpdat.tlb
  • %SYSTEM%\winview.ocx

On execution, it adds the following registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg

The following key/value pairs were added

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • default = %SYSTEM%\[Random Named DLL File]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
    • ThreadingModel: "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}
    • default =  "Java.Runtime.52"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • UpdateCheck = {8F147B28-EF39-44A0-B6EC-3CC6F2F08794}

The above keys allow injecting code into Explorer. The injected code tracks drives such as USB's. If a drive is detected, the worm creates an Autorun.inf file and copies the Random Named DLL to the drive with a new random name. The Autorun file refers this new random DLL's function "InstallM".  Everytime the drive is opened "InstallM" is executed which facilitates the worms spread.


 

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
Auto detection of USB sticks may cause the DLL and autorun files to be copied to the USB
Presence of the above Autorun.inf file with a reference to "InstallM".