File Information
- MD5 : 1B1192D4C84DABB0E1E01DC4D06B013A
- SHA : 6E569AE7698DA62C5B0466C9D16CC57E666F7C8C
Aliases
- AVG: Worm/VB.BDBS
- Symantec: W32.Changeup!gen6
- NOD32: Win32/AutoRun.VB.SL
“W32.Autorun.worm.c” is worm that may propagate via removable drives or network shares. Also, it is designed to download malicious files from websites controlled by the malware author.
When executed, the trojan connects to the following websites to download malicious file from the remote server.
- ns1.vi[removed]hares.com using remote port 8000
- ns1.pla[removed]523.com using remote port 8000
And the following sites use the remote port 80.
- ns1.vi[removed]res.com
- 78.[removed].122
- 109.[removed].42
- 78.[removed].122
- http://www.vide[removed]net/?media=u7xrTq&embedded=false
The following files have been added to the system:
- %Temp%\4.tmp [Found to be Trojan]
- %Temp%\6.tmp [Found to be Trojan]
- %userprofile%\piufoij.exe [Found to be Worm]
- %userprofile%\vpnmon\vpnmon.exe [Found to be Trojan]
- [Removable Drive]:\autorun.inf [Found to be Worm]
- [Removable Drive]:\naufe.exe [Found to be Worm]
- [Removable Drive]:\naufex.exe [Found to be Worm]
- [Removable Drive]:\piufoij.exe [Found to be Worm]
The file “autorun.inf” is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
[auTOrUn]
acTion=Open folder to view files
ShELlExeCUTe=nAuFE.exE
ICON=%syStEMROoT%\SYSTEM32\shEll32.dll,4
USEaUtoplAY=1
Also, the Downloaded file copies itself with the existing folder names and changes the attribute of the existing folders in order to hide them.
The newly created files look like folders, so when it is clicked to open, the Trojan gets executed at the background and at the same time it also opens the corresponding original folder for the user view.
The Trojan creates the following folder link in Removable media:
- Music
- Video
- Documents
- Pictures
When the above mentioned folder links are clicked to open, the Trojan gets executed.
The following Registry values have been added to the system:
- [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
Toahea=”=”%userprofile%\toahea.exe /W” - [HKEY_USERS \S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
piufoij”=”%userprofile%\piufoij.exe /Q” - [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
vpnmon”=”%userprofile%\vpnmon\vpnmon.exe”
The above registries entries ensure that the malware executes on Windows Startup.
- [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
Maxhttpredirects=”0x000022B8″
enablehttp1_1=” 0×00000001″
ProxyEnable=”0×00000000″
Also, the worm propagates through the following IM and social networking sites,
- facebook.com
- twitter.com
- YahooMessenger
- msnmsgr
The following files have been downloaded from the remote server and cause a DoS (Denial of Service) attack. Thus denying user from normal system activities.
- %ProgramFiles%\eMule\Incoming\00001111ytytytytytytryt.wma
- %ProgramFiles%\eMule\Incoming\M-Phazes-Good Gracious(2010).wma
- %ProgramFiles%\eMule\Incoming\M-Project – Makina Progression 2 (2010).wma
- %ProgramFiles%\eMule\Incoming\M-Swift presents 24 Carat-Blue In Black.wma
- %ProgramFiles%\eMule\Incoming\Monica Mancini – The Dreams of Johnny Mercer.wma
- %ProgramFiles%\eMule\Incoming\Monica Still Standing 2010.wma
- %ProgramFiles%\eMule\Incoming\Monica-Still Standing-2010.wma
- %ProgramFiles%\eMule\Incoming\MonicaStill Standing 2010.wma
- %ProgramFiles%\eMule\Incoming\Monique – Wenn Schweigen Spricht.wma
- %ProgramFiles%\eMule\Incoming\Monk – The Men Who Sleeps On His Brea (2008).wma
- %ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko – How Will I Know (godlike Music Port remix).wma
- %ProgramFiles%\eMule\Incoming\Monkey Business And Danny Suko – How Will I Know godlike Music Port remix.wma
- %ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House (2010).wma
- %ProgramFiles%\eMule\Incoming\Monkeyfunk Feat. Eva My Way House 2010.wma
- %ProgramFiles%\eMule\Incoming\Monkeysteak – Lighthouse Dub (2006).wma
- %ProgramFiles%\eMule\Incoming\Mono No Aware – Forms of Hands 10 (2010).wma
- %ProgramFiles%\eMule\Incoming\Mono-Holy_Ground-NYC_Live_With_The_Wordless_Music_Orchestra-DVD-Bonus_Track-2010-hXc.wma
- %ProgramFiles%\eMule\Incoming\Monobox Realm House (2010).wma
- %ProgramFiles%\eMule\Incoming\Monobox Realm House 2010.wma
- %ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola – Soul Glamour (2010).wma
- %ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola – Soul Glamour 2010.wma
- %ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola – Soul Glamour Album (2010).wma
- %ProgramFiles%\eMule\Incoming\Monodeluxe feat Paola – Soul Glamour Album 2010.wma
- %ProgramFiles%\eMule\Incoming\Monodeluxe feat. Paola – The Album 2010.wma
- %ProgramFiles%\eMule\Incoming\Monokino – Human error (2009).wma
- %ProgramFiles%\eMule\Incoming\MonokleGalun – In Frame (2010).wma
- %ProgramFiles%\eMule\Incoming\Monokreck_Aka_the_Scarfraver_-_Live_at_XT3_Techno_Radio_2nd_.wma
- %ProgramFiles%\eMule\Incoming\Monolith Of Doom – Devastation Panorama (2009).wma
- %ProgramFiles%\eMule\Incoming\Monolith Of Doom Devastation Panorama Electronic.wma
- %ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient (2010).wma
- %ProgramFiles%\eMule\Incoming\MonolythCobalt Rives Ambient 2010.wma
- %ProgramFiles%\eMule\Incoming\Monomate – Grand Battle 2010.wma
- %ProgramFiles%\eMule\Incoming\MonoNikitaman – Das Alles (2008).wma
- %ProgramFiles%\eMule\Incoming\MonoPoly – The George Machine EP Vinyl (2009).wma
- %ProgramFiles%\eMule\Incoming\Monostrip – Like A Drug (2010).wma
- %ProgramFiles%\eMule\Incoming\Monrose – Ladylike (2010).wma
- %ProgramFiles%\eMule\Incoming\Monrose – Ladylike 2010.wma
- %ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop (2010).wma
- %ProgramFiles%\eMule\Incoming\Monrose Ladylike Pop 2010.wma
- %ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop (2010).wma
- %ProgramFiles%\eMule\Incoming\Monrose Like A Lady Pop 2010.wma
- %ProgramFiles%\eMule\Incoming\Monstar – Usher (Raymond v Raymond).wma
- %ProgramFiles%\eMule\Incoming\Monster – Lady GaGa (The Fame Monster (Deluxe Version)).wma
- %ProgramFiles%\eMule\Incoming\Monster – Lady GaGa (The Fame Monster).wma
- %ProgramFiles%\eMule\Incoming\Monster Magnet – Powertrip.wma
- %ProgramFiles%\eMule\Incoming\Monster Movie – Everyone Is a Ghost (2010).wma
- %ProgramFiles%\eMule\Incoming\Monster Movie – Everyone Is A Ghost 2010.wma
- %ProgramFiles%\eMule\Incoming\Monster Tunes Winter Collection 01 (2010).wma
- %ProgramFiles%\eMule\Incoming\Monsters – Various Artists (The Twilight Saga New Moon (Deluxe Version) [Original Motion Picture Soundtrack]).wma
- %ProgramFiles%\eMule\Incoming\Monsters Of Folk – Monsters Of Folk 2009.wma
- %ProgramFiles%\eMule\Incoming\Monsters Of Folk Monsters Of Folk(2009).wma
- %ProgramFiles%\eMule\Incoming\Montag – Explorer’s Club 5. Berlin-Sto (2010).wma
- %ProgramFiles%\eMule\Incoming\Montana Movie (Track List).wma
- %ProgramFiles%\eMule\Incoming\Monte La Rue – The End Of The Rainbow.wma
- %ProgramFiles%\eMule\Incoming\Monte Montgomery – T-Bones BarGrill, Denison, TX (2010).wma
- %ProgramFiles%\eMule\Incoming\Montgomery – Stromboli (2009).wma
- %ProgramFiles%\eMule\Incoming\Montgomery Gentry – My Town (2002).wma
- %ProgramFiles%\eMule\Incoming\Montgomery Gentry – Something to be proud Of (2005.wma
- %ProgramFiles%\eMule\Incoming\Montgomery Gentry – Something to be proud Of 2005.wma
- %ProgramFiles%\eMule\Incoming\Montgomery Gentry – TattoosScars (1999).wma
- %ProgramFiles%\eMule\Incoming\Month of May – Arcade Fire (The Suburbs).wma
- %ProgramFiles%\eMule\Incoming\Montrose – Montrose 1973.wma
- %ProgramFiles%\eMule\Incoming\Monzano – By This Time Last Year Everything Will Seem Younger 2010.wma
- %ProgramFiles%\eMule\Incoming\Moodorama – Listen (2003).wma
- %ProgramFiles%\eMule\Incoming\Moodorama – Listen 2003.wma
- %ProgramFiles%\eMule\Incoming\Moodswing Identity Crisis Hip-Hop 2002.wma
- %ProgramFiles%\eMule\Incoming\Moody – Music People – the Dancer (Vin (2009).wma
- %ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House (2010).wma
- %ProgramFiles%\eMule\Incoming\Moodymanc Gretsch Ep House 2010.wma
- %ProgramFiles%\eMule\Incoming\Moon DevilS Return Black Metal 2010.wma
The following folders have been added to the system.
- %userprofile%\vpnmon
- %ProgramFiles%\eMule
- %ProgramFiles%\eMule\Incoming
[Where %Temp% is the Temp Directory, %userprofile% - C:\Documents and Settings\[UserName], %ProgramFiles% – C:\Program Files ]
Symptoms
- Presence of above mentioned files, registry entries and activities.
- Presence of unexpected connection to the above mentioned sites.
Its like you read my mind! You appear to know a lot about this, like you wrote the guide in it or something. I feel that you just could do with a few percent to drive the message home a bit, but other than that, that is fantastic blog. A fantastic read. I will definitely be back.
A person essentially assist to make critically posts I’d state. That is the very first time I frequented your website page and to this point? I amazed with the analysis you made to create this actual put up incredible. Fantastic task!
Hello!
Very nice site!
Very nice site!
Very nice site! cheap cialis http://oixapey.com/aqvarr/4.html
Hello! fgddbad interesting fgddbad site! I’m really like it! Very, very fgddbad good!
Very nice site!
Very nice site!
Very nice site! cheap cialis http://opeyixa.com/qoaxqo/4.html