Worm:AutoIt/Utoti.A is a worm that copies itself to fixed and removable drives, terminates processes, delete files, and alters Windows settings.
Installation
This is a worm coded in AutoIT script, and compiled as a Windows executable. When this worm is run, it drops a copy of itself into a created folder as the following:
<system folder>\Microsoft\Msmsgs.exe
The file attributes of the worm are then modified to 'read-only', 'hidden' and 'system'. Next, it registers itself to run when Windows starts by modifying registry data:
Modifies value: Userinit
With data: "<system folder>\userinit.exe <system folder>\Microsoft\Msmsgs.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads Via…
Removable Drives
This worm will perform a file copy routine that will transfer a copy of itself to all removable drives. The worm transfer process is performed in the following way:
copy of worm is dropped as '\system.exe'
file attributes of the worm are then modified to 'read-only', 'hidden' and 'system'
for every file already on the removable drive, drops a copy of worm as <existing file.extension>.exe
file attributes of <existing file.extension> are modified to 'hidden'
- 'hidden' and 'system' file attributes are removed from worm copies <existing file.extension>.exe, making the worm discoverable
Note: Worm:AutoIt/Utoti.A will search each fixed drive for the presence of '\autorun.inf'. For each instance found, the 'read-only' file attributes are removed, then the file is deleted.
Payload
Modifies System Security Settings
This worm attempts to copy itself as '%ProgramFiles%\ESET\nod32.exe', essentially replacing any existing file with the same name. The worm then attempts to delete the following files:
%ProgramFiles%\ESET\nod32.exe
%ProgramFiles%\ESET\nod32kui.exe
%ProgramFiles%\ESET\nod32krn.exe
Worm:AutoIt/Utoti.A also further modifies the registry:
Deletes value: ImagePath
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn
Deletes value: ImagePath
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv
Additionally, the worm attempts to remove 'read-only' file attributes from <system folder>\wininit.exe, then the file is deleted.
Terminates Processes
This worm checks for, and closes the following processes if found:
winsystem.exe
handydriver.exe
kerneldrive.exe
wscript.exe
cmd.exe
nod32krn.exe
nod32kui.exe
Modifies System Settings
AutoIt/Utoti checks for the following processes, and if any are found running, restarts the affected machine:
msconfig.exe
rstrui.exe
regedit.exe
taskmgr.exe
mmc.exe
This worm alters Windows settings by modifying the registry so that hidden files are not viewable, even if the Windows Explorer option is set to view hidden files or folders. Worm:AutoIt/Utoti.A modifies the following registry data:
Modifies value: SuperHidden
With data: 0
Modifies value: ShowSuperHidden
With data: 0
Modifies value: HideFileExt
With data: 1
Modifies value: Hidden
With data: 2
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Utoti alters Windows settings by modifying the following registry data within the subkey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer:
Modifies value: NoFind
With data: 1
Modifies value: NoFolderOptions
With value: 1
AutoIt/Utoti alters Windows settings by modifying the following registry data:
Modifies value: DisableTaskMgr
With value: 1
Modifies value: DisableRegistryTools
With value: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Modifies Internet Explorer Settings
Utoti alters Internet Explorer settings by deleting customized "Window Title" registry data
Deletes value: "Window Title"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
