Threat behavior
Worm:Win32/Ahkarun.A is an AutoHotKey compiled script worm that spreads through removable drives and send the user's IP address to a remote server.
Installation
This worm may be present on infected removable media as the following files:
%drive%:\autorun.inf - auto executing installation script, executes '%drive%\expl0rer.exe'
%drive%:\expl0rer.exe - Worm:Win32/Ahkarun.A, copies worm from removable drive to local drive
%drive%:\system32.exe - Worm:Win32/Ahkarun.A, copies worm from local drive to removable drive
%drive%:\mail.exe - Blat e-mail component, non-malicious
%drive%:\mail.dll - Blat e-mail component, non-malicious
%drive%:\mail.lib - Blat e-mail component, non-malicious
When an infected removable media is attached and Autorun (or Autoplay) is enabled, the script 'autorun.inf' executes Worm:Win32/Ahkarun.A. The worm may perform the following actions:
- Copy its files to the host system:
copies %drive%:\explorer.exe as %WinDir%\EXPL0RER.exe (note that the name contains a zero)
copies %drive%:\system32.exe as %WinDir%\iexplore.exe
copies %drive%:\mail.exe as %WinDir%\system32\blat.exe (e-mail client)
copies %drive%:\mail.dll as %WinDir%\system32\blat.dll (e-mail client)
copies %drive%:\mail.lib as %WinDir%\system32\blat.lib (e-mail client)
- sets file attributes of the copied files to 'ReadOnly', 'System' and 'Hidden'
- modifies the registry to execute Worm:Win32/Ahkarun.A at each Windows start:
Adds value: "iexplore"
With data: "%windir%\iexplore.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- executes via command-line the dropped e-mail client with parameters, as in the following example:
%comspec% /c Blat -install <mail server> <mail account>, ,hide
- identifies the IP address of the infected machine by opening the Web page
netikus.net/show_ip.html
- sends the obtained IP address to a predefined e-mail account
When Windows starts, Worm:Win32/Ahkarun.A executes and awaits connections of removable media such as USB thumb drives. When this system event occurs, Ahkarun will attempt to copy itself and components to the removable drive as the following files:
%drive%:\autorun.inf
%drive%:\expl0rer.exe
%drive%:\system32.exe
%drive%:\mail.exe
%drive%:\mail.dll
%drive%:\mail.lib
The worm will set the file attributes of the copied files to 'ReadOnly', 'System' and 'Hidden'.
Additional Information
Worm:Win32/Ahkarun.A uses the common icon resembling a Windows file folder in order to potentially trick a user into opening (e.g. executing) the worm.
Analysis by Marian Radu
Prevention