Worm:BAT/Autorun.L is a destructive worm that spreads via logical drives and peer to peer networks. It terminates processes, mostly related to security programs. It also modifies a number of system settings. It also deletes certain files, such as MP3 files.
Installation
Worm:BAT/Autorun.L copies itself in the following locations:
%APPDATA%\Microsoft\csrss.exe
%APPDATA%\services.exe
%APPDATA%\winlogon.exe
%PROGRAMFILES%\windows NT\Accesorios\wordpad.exe
%SYSTEMDRIVE%\Docume~1\Default User\Men?Inicio\Programas\Inicio\win.scr
%SYSTEMDRIVE%\RECYCLER\NTDETECT.exe
%SYSTEMDRIVE%\WINDOWS.exe
%USERPROFILE%\Config~1\Datosd~1\Microsoft\winlogon.scr
%USERPROFILE%\Datos de programa.exe
%USERPROFILE%\Datosd~1\Microsoft\Internet Explorer\Quick Launch\Mis documentos.exe
%windir%\notepad.exe
%windir%\svchost.exe
%windir%\system32.exe
%windir%\taskmgr.exe
%windir%\system32\drivers\etc.exe
%windir%\system32\drivers\etc\Proceso inactivo del sistema.com
%windir%\system32\notepad.exe
C:\RECYCLER\NTDETECT.exe
If the folders in which it tries to copy itself do not exist, the worm does not drop these copies.
It then hides the following files and folders:
%windir%
%windir%\system32
%windir%\notepad.exe
%windir%\system32\notepad.exe
Since this worm drops a copy of itself in the root of system drive as WINDOWS.EXE using the file folder icon, hiding the Windows directory makes it likely that a user may double-click on the worm to re-infect the system.
It creates the following registry entries to enable its dropped copies to run every time Windows starts:
Adds value: "explorer.exe"
With data: "%APPDATA%\Microsoft\csrss.exe"
To subkey: HKCU\Software\Microsoft\windows\CurrentVersion\Run
Adds value: Shell
Wih data: "Explorer.exe %SYSTEMDRIVE%\RECYCLER\NTDETECT.exe"
To subkey: HKLM\SOFTWARE\Microsoft\windows NT\CurrentVersion\winlogon
Adds value: "CTFMON.exe"
With data: "%windir%\svchost.exe"
To subkey: HKLM\Software\Microsoft\windows\CurrentVersion\Run
It also overwrites the following registry entries to enable its dropped copies to run in place of the original values:
Modifies values: "GPEDIT.MSC", "attrib.exe", "cmd.exe", "command.exe", "del.exe", "Dxdiag.exe", "notepad.exe", "reg.exe", "regedit.exe", "taskkill.exe", "tskill.exe", "HELPCTR.exe", "MSCONFIG.exe", "VenoM.exe", "wordpad.exe", "666.exe"
With data: "%windir%\system32\drivers\etc\Proceso inactivo del sistema.com"
To subkey: HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\App Paths
Spreads Via...
Logical Drives
Worm:BAT/Autorun.L copies itself to the root of drives C: to N: as \System.Volume.Information\LucifeR.exe. It also creates an autorun.inf file, detected as
Worm:BAT/Autorun.L!inf, to enable LucifeR.exe to automatically run when the drive is accessed and Autoplay is enabled.
It also copies itself in drives E: to N: using existing folder names, and using a folder icon. For example, if a folder called F:\Data exists, this worm copies itself with the folder icon as F:\Data.exe.
File Sharing Networks
Worm:BAT/Autorun.L overwrites all .EXE files in the following folders with the worm executable:
%PROGRAMFILES%\appleJuice\incoming\*.exe
%PROGRAMFILES%\Ares\My Shared Folder\*.exe
%PROGRAMFILES%\BearShare\Shared\*.exe
%PROGRAMFILES%\Direct Connect\Received Files\*.exe
%PROGRAMFILES%\EDONKE~1\incoming\*.exe
%PROGRAMFILES%\eMule\incoming\*.exe
%PROGRAMFILES%\Filetopia3\Files\*.exe
%PROGRAMFILES%\Gnucleus\Downloads\*.exe
%PROGRAMFILES%\Grokster\My Grokster\*.exe
%PROGRAMFILES%\ICQ\Shared~1\*.exe
%PROGRAMFILES%\Kazaa Lite\My Shared Folder\*.exe
%PROGRAMFILES%\Kazaa\My Shared Folder\*.exe
%PROGRAMFILES%\KMD\My Shared Folder\*.exe
%PROGRAMFILES%\LimeWire\Shared\*.exe
%PROGRAMFILES%\Morpheus\My Shared Folder\*.exe
%PROGRAMFILES%\Overnet\incoming\*.exe
%PROGRAMFILES%\Rapigator\Share\*.exe
%PROGRAMFILES%\Shareaza\Downloads\*.exe
%PROGRAMFILES%\Swaptor\Download\*.exe
%PROGRAMFILES%\Tesla\Files\*.exe
%PROGRAMFILES%\Warez P2P Client\My Shared Folder\*.exe
%PROGRAMFILES%\WinMX\My Shared Folder\*.exe
%PROGRAMFILES%\XoloX\Downloads\*.exe
%SystemDrive%\My Shared Folder\*.exe
%USERPROFILE%\Config~1\Datosd~1\Ares\My Shared Folder\*.exe
%windir%\My Shared Folder\*.exe
Payload
Modifies System Settings
Worm:BAT/Autorun.L modifies system settings to make it more difficult to detect and remove this worm.
Prevents the user from viewing hidden files:
Adds value: "Hidden"
With data: "2"
Adds value: "HideFileExt"
With data: "1"
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Adds value: "NoFind"
With data: "1"
Adds value: "NoFolderOptions"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Preventing system and debugging processes from running:
Adds value: "DisallowRun"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Adds value: "1"
With data: "notepad.exe"
Adds value: "10"
With data: "cmd.exe"
Adds value: "11"
With data: "ibprocman.exe"
Adds value: "12"
With data: "explorer.exe"
Adds value: "2"
With data: "HijackThis.exe"
Adds value: "3"
With data: "wordpad.exe"
Adds value: "4"
With data: "rstrui.exe"
Adds value: "5"
With data: "msconfig.exe"
Adds value: "5"
With data: "taskmgr.exe"
Adds value: "6"
With data: "regedit.exe"
Adds value: "7"
With data: "HiJackThis_v2.exe"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer\DisallowRun
Remove the Properties tab from the My Computer context menu:
Adds value: "NoPropertiesMyComputer"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Does not allow files to be moved into the Recycle Bin:
Adds value: "NoRecycleFiles"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\Explorer
Disables Registry Tools and Task Manager:
Adds value: "DisableRegistryTools"
With data: "1"
Adds value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\windows\CurrentVersion\Policies\System
Disables System Restore:
Adds value: "DisableConfig"
With data: "1"
Adds value: "DisableSR"
With data: "1"
To subkey: HKLM\SOFTWARE\Policies\Microsoft\windows NT\SystemRestore
Terminates Security Processes
Worm:BAT/Autorun.L terminates certain processes with the following names:
Ad-Aware.exe
Ad-Watch.exe
avgamsvr.exe
AVGCC32.exe
AVGSERV9.exe
avgupsvc.exe
ccApp.exe
ccEvtMgr.exe
ccleaner.exe
ccProxy.exe
ccSetMgr.exe
DefWatch.exe
egui.exe
ekrn.exe
ewidoctrl.exe
gcasDtServ.exe
gcasServ.exe
integrator.exe
ISSVC.exe
kav.exe
kavsvc.exe
navapsvc.exe
NMAIN.exe
no-spy.exe
nod32krn.exe
nod32kui.exe
NOPDB.exe
NPROTECT.exe
RegCleanr.exe
Rtvscan.exe
SBServ.exe
SNDSrvc.exe
SPBBCSvc.exe
spyaxe.exe
SpySweeper.exe
SpywareStrike.exe
symlcsvc.exe
SymWSC.exe
SynTPEnh.exe
SynTPLpr.exe
vsmon.exe
VsStat.exe
WRSSSDK.exe
zlclient.exe
zonealarm.exe
It also terminates processes that contain the following strings in their names:
AcctMgr
Active
Alogserv
amon
AnVir
avpmon
av
atrack
aut
atupdate
aupdate
bawindo
blackd
ccapps
ccpxysvc
ccvpupd
cfiaudit
drwebupw
escan
fire
fspex
guard
icsup
luall
mcupdate
mcvs
msdev
nisum
nupgrade
ollydbg
outpost
pav
peid
petools
poproxy
RegSeeker
rulaunch
Synaptics
systray
TJEnder
Update
vet95
vshwin
w32dasm
winhex
wscript
xpshare
AVGUARD
AVWUPSRV
AVGNT
AVSched32
FrameworkService
Mcshield
VsTskMgr
SHSTAT
GBPoll
navapsvc
NPFMntor
NPROTECT
NOPDB
NPFMntor
GhostTray
PQV2iSvc
Pagent
pagentwd
pavsched
Pavsrv51
AVENGINE
apvxdwin
pavProxy
avgcc
avgamsvr
avgupsvc
bdoesrv
bdmcon
bdnagent
bdswitch
mcdetect
mctskshd
mcregwiz
mcagent
navapsvc
NPFMntor
navapw32
SAVScan
xcommsvr
livesrv
bdss
ibpro
start
reg
taskm
Hijac
vac
anti
note
ASHSERV
ASHWEBSV
ASHMAISV
ASHDISP
ASWUPDSV
Deletes Files
Worm:BAT/Autorun.L removes files from the folder %PROGRAMFILES%\KASPERSKY LAB\Kaspersky Anti-Virus 7.0, if found.
It also removes the following folders and their contents:
%CommonProgramFiles%\Softwin
%CommonProgramFiles%\Symantec Shared
<system folder>\ZoneLabs
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also removes the following folders from the Program Files folder:
ALWIL SOFTWARE\AVAST4
AVG Free
AVG7
AVGant~1
AVPersonal
Avg
CCleaner
ESET\ESET NOD32 Antivirus
ESet
Ewidoa~1
GRISOFT\AVG6
Grisoft
KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL
Lavasoft\Ad-Aware SE Professional
McAfee\McAfee VirusScan
Mcafee~1
Microsoft AntiSpyware
Microt~1
NOD32a~1
Network Associates
Norton AntiVirus
Norton Internet Security
Norton SystemWorks\Norton AntiVirus
Norton Utilities
Panda
Panda Software\Panda Administrator 3
Panda Software\Panda Antivirus Titanium
RegCleaner
SinEspias
Softwin\BitDefender9
SpyAxe
SpywareStrike
Symantec_Client_Security\Symantec AntiVirus
Synaptics\SynTP
TuneUp Utilities 2006
Viruss~1
Webroot\Spy Sweeper
Zone Labs\ZoneAlarm
adware
adware~1
aio
aioano~1
aiotop~1
ashampoo
avgant~2
bitdef~1
blackice
clamwi~1
counterspy
dr.web
etrust
etrust~1
evonsoft
evonso~1
ewido anti-malware
f-port~1
f-secure
f-secu~1
hideip~1
hideip~2
kasper~1
kerio
keriop~1
keriow~1
keriow~2
mcafee.com\agent
noadware
norton
norton~1
outpost
pandaa~1
pandat~1
portab~1
spyemergency
spyremover
spystopper
spywar~1
spywar~2
steganos
sygate
sygate~1
symantec
systemworks
thespy~1
titani~1
trendm~1
trendm~2
trojankiller
virusd~1
virussafe
virusscan
webroot
webroo~1
winpatrol
xoftspy
zonealarm
Displays Message Box
Worm:BAT/Autorun.L changes the association of the following file types to launch the file %USERPROFILE%\Plantillas\help.hta, which is dropped by this worm:
BAT
CMD
COM
HTML
INF
INI
JS
MSC
PIF
REG
TXT
VBE
VBS
The file help.hta is created only in systems that have the %USERPROFILE%\Plantillas folder. When run, this file displays a black background with the white graphic "VenoM?" across the center of the screen with the message box "La fuente de voltaje de no es suficiente para el correcto funcionamiento del ordenador, vete a quemar al Infierno un rato e intentelo mas tarde.".
Damages Data
BAT/Autorun.L overwrites MDB files found in drives C: to N: with the following string:
"VenoM VenoM VenoM VenoM VenoM VenoM VenoM VenoM VenoM VenoM VenoM 666 LucifeR"
It also deletes MP3 files in drives C: to N.
It also deletes the following files:
%PROGRAMFILES%\Trend Micro\HijackThis\HijackThis.exe
%ALLUSERSPROFILE%\Men?Inicio\Programas\Accesorios\Herramientas del sistema\Tareas programadas.lnk
%USERPROFILE%\Men?Inicio\Programas\Accesorios\Bloc de notas.lnk
%USERPROFILE%\Men?Inicio\Programas\Accesorios\Explorador de windows.lnk
%USERPROFILE%\Men?Inicio\Programas\Accesorios\S«bolo del sistema.lnk
Swaps Mouse Buttons
BAT/Autorun.L swaps the mouse buttons so that the left mouse button acts as a right mouse button and the right mouse button acts as a left mouse button.
It also adds a scheduled task to swap the function of the mouse buttons at the 8th minute of every hour.
Other information
BAT/Autorun.L creates the file %windir%\system\COM*.DLL as infection mark. This file contains this string:
":: Quemate en el infierno te desea el verdadero Dios 'Lucifer'"
This worm stops execution if the computer name is "VENOM" or the current user name is "Invitado"
The following string is found in the worm code:
"Dedicado a todos los grupos 'Metal y Rock' que es a lo unico que merece llamarse Musica."
This worm also creates the following registry entry:
Adds value: "Tu has sido derrotado de nuevo por VenoM"
With data: "Burn in Hell"
To subkey: HKCU\VenoM.LucifeR.<random number>\suriV
This worm records its activation time in %APPDATA%\Micro$oft\desktop.inf. It also records its date and time payload executions to %APPDATA%\Micro$oft\desktop.log.
Analysis by Shali Hsieh
