Worm:MSIL/Autosipoc.A is a worm that attempts to steal the affected user’s Ares credentials and email this information to an attacker.
Installation
Worm:MSIL/Autosipoc.A copies itself to folders in logical drives as the name of the folder it precedes, but only as far as three layers down. For example:
- c:\<folder name>\<folder name>.exe
- c:\<folder name>\<other folder name>\<other folder name>.exe
- c:\<folder name>\<other folder name>\<yet another folder name>\<yet another folder name>.exe
However, the worm would never copy itself to 'c:\<folder name>\<other folder name>\<yet another folder name>\<even yet another folder name>\<even yet another folder name>.exe' because this is more than three layers deep.
Worm:MSIL/Autosipoc.A does this for every folder so there may be thousands of copies of the worm on the user's computer. In the wild, we have observed the worm copying itself to the following locations:
- C:\tools\tools.exe
- C:\windows\windows.exe
- C:\documents and settings\administrator\administrator.exe
- C:\documents and settings\all users \all users.exe
- C:\documents and settings\default user\default user.exe
- C:\documents and settings\localservice\localservice.exe
- C:\documents and settings\networkservice\networkservice.exe
- C:\msocache\all users\all users.exe
- C:\Program Files\adobe\adobe.exe
- C:\Program Files\ares\ares.exe
- F:\subst\subst.exe
- H:\subst\subst.exe
Note: This list is not exhaustive.
The following is a list of exceptions, that the worm will not copy itself to:
- D:\$RECYCLE.BIN
- D:\System Volume Information
- C:\$RECYCLE.BIN
- C:\System Volume Information
- E:\$RECYCLE.BIN
- E:\System Volume Information
- F:\$RECYCLE.BIN
- F:\System Volume Information
- Any folder that already contains an executable that is named after the folder that it's in
As well as adding itself as outlined above, Worm:MSIL/Autosipoc.A also adds itself as the following:
- Music.exe - to all folders on the desktop as
- Imagenes2.exe - to %Start Menu%, %My Pictures%, and any subfolders within
Spreads via…
Logical drives
Worm:MSIL/Autosipoc.A copies itself to all of the logical drives on a user’s computer as outlined in the Installation section, using a folder icon. The worm has no autorun capabilities, instead it relies on the user opening the worm file in order to run.
Payload
Steals information
Worm:MSIL/Autosipoc.A attempts to steal the Ares peer-to-pear (P2P) nickname from the affected user’s computer and email the details to a Gmail and a Hotmail account.
The email appears as follows:
Subject: “<computer name> clic”
Body: “<Ares P2P nickname>” or “no nick” if Ares is not installed on the affected computer
Analysis by Michael Johnson
