| Malware name | Worm.Autorun.FY.1 | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | FFEEECB3AB1BB248968A89C75671C792 | | Static file | yes | | Filesize | 229,621 Bytes | | Wildlist entry | yes | Alias names
(also known as) | | Sophos | W32/Imaut-A | | McAfee | W32/Autorun.worm.g | | CA ETrust | Win32/Nuqel.AA |
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following locations:
• %WINDIR%\smss.exe
• %WINDIR%\killer.exe
• %WINDIR%\Funny UST Scandal.exe
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\lsass.exe
•
%drive%\smss.exe
•
%drive%\Funny UST Scandal.avi.exe
The following file is created:
–
%drive%\autorun.inf This is a non malicious text file with the following content:
• [autorun]
open = smss.exe
shell\Open\Command=smss.exe
shell\Open\Default=1
shell\Explore\Command=smss.exe
shell\Autoplay\Command=smss.exe
Registry
One of the following values is added in order to run the process after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Runonce="%WINDIR%\smss.exe"
The following registry keys are added in order to load the service after reboot:
– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Shell="explorer.exe, killer.exe"
The following registry keys are added:
– [HKCR\.vbs]
• (Default)="exefile" (Hidden)
– [HKCR\.reg]
• (Default)="exefile" (Hidden)
The following registry key is changed:
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
Old value:
• CheckedValue=dword:00000001
New value:
• CheckedValue=dword:00000000
File details
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
