Win32/Folstart is a family of worms that spread via removable drives and modify system settings.
Installation
You may have been infected by Win32/Folstart by conencting your computer to an already-infected USB drive.
Win32/Folstart creates a copy of itself as the following file:
%APPDATA%\Start\update.exe
Creating a copy in this location enables the worm to run at each Windows start.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7, and 8, the default location is "C:\Users\<user>\AppData\Roaming".
Win32/Folstart may also copy itself as "Microsoft Update.exe" to the following location:
%APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\
Win32/Folstart also creates the following hidden folders, possibly as an infection marker:
- %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
- %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr
The worm may delete the original copy of itself by running a batch command.
Spreads via...
Removable drives
Win32/Folstart checks the following registry entry to determine if and how many USB devices are connected to your computer:
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum
If a USB device is found, the worm copies itself to the drive as an executable file using the same name as a folder on the drive, without an extension. It also uses an icon that makes the file look like a folder.
In the pictured example below, the folder called "new folder" is actually an executable file, "new folder.exe"; however, the name, lack of an extension, and the use of the folder's icon are all designed to mislead you into thinking the worm's copy is actually a folder, in the hopes that you will attempt to "open" that folder, and instead inadvertently run the worm.
The name, lack of an extension, and the use of the folder icon are all designed to mislead you into thinking the worm is actually a folder, in the hopes that you will attempt to "open" that folder, and instead inadvertently run the worm.
Win32/Folstart also creates the following hidden folders on the USB drive, possible as an infection marker:
- <USB drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
- <USB drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr
Payload
Modifies system settings
Win32/Folstart modifies your computer's security settings by making a number of changes to the registry.
It prevents the display of hidden files in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2"
It prevents the display of file extensions in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
It prevents the display of files that have "SYSTEM" and "HIDDEN" attributes in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Additional information
Win32/Folstart creates a mutex named "LDLLMAIN" as an infection marker to prevent multiple instances running on your computer.
Analysis by Francis Allan Tan Seng
