TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_IMAUT.AA
Overview
Solution
Technical Details

File type: PE

Memory resident:  Yes

Size of malware: 807,388 Bytes (compressed)

Initial samples received on: Mar 31, 2008

Compression type: UPX

Payload 1: Downloads files

Details:

Arrival, Installation and Autostart Technique

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it drops the following files:

  • %System%\regsvr.exe - copy of itself
  • %System%\winhelp.exe - copy of itself
  • %System%\setup.ini - detected as Mal_Otorun2
  • %System%\rundll.exe - detected as WORM_IMAUT.Q
  • %Windows%\regsvr.exe - copy of itself
  • %windows\winhelp.ini - non malicious

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.%Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. )

This worm creates the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Yahoo Messengger = "%System%\regsvr.exe"

It modifies the following registry entry to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = "Explorer.exe" "Explorer.exe rundll.exe""

(Note: The default value data for the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
System = "Winhelp.exe"

(Note: The default value data for the said registry entry is blank.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy. It creates the following scheduled task to enable its automatic execution at the specified date and/or time using the following strings:

Create task: AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %System%\Winhelp.exe

Other System Modifications

This worm creates the following registry entries to disable Task Manager:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools = "1"
DisableTaskMgr = "0"

It creates the following registry key(s)/entry(ies):

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NofolderOptions = "0"

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all removable drives. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed. The AUTORUN.INF file contains the following strings:

Open=regsvr.exe
Shellexecute=regsvr.exe
Shell\Open\Command=regsvr.exe
Shell=Open

Download Routine

This worm resolves the hostname by attempting to obtain the machine's IP address. It waits for active Internet connection to connect to a specified URL, possibly to download a malicious file or an update of itself.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Jason Pantig


For additional information about this threat, see:
Overview
Solution

Search a new malware

Tell us how we did. Take our quick survey.