medium-minimal

W32/Autorun.worm.aaeh

W32/Autorun.worm.aaeh

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Worm
  • Protection Added: 2012-11-28
W32/Autorun.worm.aaeh is a worm that spreads by copying copies of itself in removable drives and add copies of itself in ZIP and RAR files. It attempts to hide directories in removable drives and replace with copies of itself with the same filename as the hidden directory. It constantly connects to a C&C server that sends out command to download additional malware or updated copies of itself.
Minimum Engine

5400.1158

File Length

Varies

Description Added

2012-11-28

Description Modified

2012-11-28

Malware Proliferation

fpo-ti-severity-legend logo-new-mcafee

Upon execution it creates a copy of itself to the following path:

  • %UserProfile%\[random].exe

Note: %UserProfile% refers to the current user’s profile folder.

It also creates copies of itself in removable drives with the following filename:

  • Secret.exe
  • Sexy.exe
  • Porn.exe
  • Passwords.exe

and also drops the following 0 byte file in removable drives:

  • x.mpeg

It spreads by creating copies of itself in removable storage devices and mounted network shares. It will create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled.

It changes the attributes of the directories in the affected drive to hidden and create copies of itself with the same filename as the hidden directory.

It checks for files with the following extension in the removable drives and changes its attributes to hidden and create copies of itself with the same filename as the hidden file.

  • mp3
  • avi
  • wma
  • wmv
  • wav
  • mpg
  • mp4
  • doc
  • txt
  • pdf
  • xls
  • jpg
  • jpe
  • bmp
  • gif
  • tif
  • png

It adds copies of itself in ZIP and RAR archives. Added copy have the following filename:

  • Secret.exe

It will create the following to the registry to automatically execute at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
    [malware filename] =” %UserProfile%\[Random name].exe /e"

NOTE: the command line option /e shown above may differ as the worm updates this during different stages of its executions. Other possible options include "/g", "/r", "/p" and "/s".

It disables the windows update by setting the NoAutoUpdate value to 1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU 
    NoAutoUpdate = dword:00000001

It sets the following registry value to keep the hidden files hidden:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden = dword:00000000

It connects to one of the following domains on either the tcp port 8000, 8003 or 9004:

  • ns1.helpupdater.net
  • ns1.helpupdater.net
  • ns1.helpchecks.net
  • ns1.helpupdated.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • ns1.helpupdater.net
  • ns1.helpupdates.com
  • ns1.helpupdated.co
  • ns1.helpupdated.ne
  • ns1.helpupdated.or
  • ns1.helpupdatek.a
  • ns1.helpupdatek.e

Once connected to the specific port, the C&C server will automatically send out a download command with link to the file to be downloaded.It will then attempt to download and execute the file pointed to by the link. 

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

This worm spreads by creating copies of itself in removable storage devices and mounted network shares. It will create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled. 

It changes the attributes of the directories in the affected drive to hidden and create copies of itself with the same filename as the hidden directory.

It could also add copies of itself into ZIP and RAR archives.

  • Presence of previously mentioned files.
  • Presence of unexpected network connection to previously mentioned URLs.
  • Presence of previously mention registry entries.