Worm:Win32/Autorun.A is a worm that attempts to spread by copying itself to newly attached media (such as USB storage devices or network drives). It also drops several copies of itself into the system and carries a destructive date-based payload.
Installation
Upon execution, it creates copies of itself in the following locations:
- C:\services.exe
- %windir%\kernel32.ini
- %windir%\smss.exe
- <system folder>\msarti.com
Worm:Win32/Autorun.A modifies the registry to execute itself at each Windows start:
Adds value: @
With data:"<system folder>\msarti.com"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Adds value: system
With data: "%windir%\kernel32.ini"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This worm also modifies the following registry entries so that it can automatically execute upon user logon and every time Windows Explorer is used.
Adds value: Userinit
With data: "<system folder>\userinit.exe, C:\services.exe,"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: Default value is Userinit = "%sysdir%\userinit.exe,"
Adds value: Shell
With data:"explorer.exe "%windir%\smss.exe""
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Note: Default value is Shell = "Explorer.exe"
In order to successfully run kernel32.ini as a valid executable, it modifies the following registry entries:
Adds value: @
With data: "%1" %*
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command
Note that the default value is @ = %SystemRoot%\System32\NOTEPAD.EXE %1
Adds value: @
With data: "%1" %*
To subkey: HKEY_CLASSES_ROOT\inifile\shell\open\command
Note that the default value is @ = %SystemRoot%\System32\NOTEPAD.EXE %1
This worm also removes the folder options from Explorer and attempts to hide file extensions of executable files.
Spreads Via…
Logical and Removable Drives
The worm drops the following files to the root directory of all located drives on the affected system:
- <username>.exe - a copy of the worm
- auto.exe - a copy of the worm
- auto.inf - a configuration file used to automatically execute auto.exe when a drive is accessed or media is inserted.
It also drops auto.exe and auto.inf to the following location:
%USERPROFILE%\Local Settings\Application Data\Microsoft\CD Burning
Payload
Deletes Files
The worm attempts to delete all files from C drive when the system date falls on any of the following:
January 14
February 14
September 11
November 2
December 25