Worm:Win32/Autorun.BO is a worm that may drop a backdoor trojan (identified as Backdoor:Win32/Bifrose.gen!A) and connect with remote Web sites.
Installation
When this worm is run, may drop the following files:
%windir%\msmsgs.exe - copy of Worm:Win32/Autorun.BO
%windir%\debug\sysdeb.ini - configuration data file
Win32/Autorun.BO modifies the registry to execute its copy at each Windows start.
Adds value: "Windows Messenger"
With data: "%windir%\msmsgs.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The filename "msmsgs.exe" is identical to a Microsoft Internet chat application 'Windows Messenger'. The trojan file icon is also the same as that used by the real Messenger application.
Spreads Via…
Removable Drives
Win32/Autorun.BO monitors when a removable drive is mounted, and attempts to drop the following files to the newly connected device:
<drive:>\autorun.inf
<drive:>\RECYCLER\RECYCLER\autorun.exe
<drive:>\RECYCLER\RECYCLER\desktop.ini
The contents of the AUTORUN.INF file instruct the file AUTORUN.EXE to be executed with a parameter "autorun -autorun". The parameter "-autorun" will open a Windows Explorer window to the root of the removable drive.
The DESKTOP.INI configuration file instructs Windows to display the folder 'RECYCLER' as if it were actually a Recycle Bin.
Payload
Installs Additional Malware
The worm executes the dropped copy 'msmsgs.exe' and may drop the following file:
%TEMP%\windll.exe - this file is detected as Backdoor:Win32/Bifrose.gen!A
The dropped file is then executed, and it may drop a copy of itself as the following:
<system folder>\explorer.exe - this file is also detected as Backdoor:Win32/Bifrose.gen!A
The registry is modified to execute the dropped trojan at each Windows start.
Adds value: "stubpath"
With data: "<system folder>\explorer.exe s"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
Additional registry values and data may be created.
Adds value: "nck"
With data: "..`-´*3r£&w-´*3r"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wget
Adds value: "klg"
With data: "1"
To subkey: HKEY_CURRENT_USER\SOFTWARE\Wget
Win32/Autorun.BO may inject code into the now running trojan process 'explorer.exe'. The trojan (identified as Backdoor:Win32/Bifrose.gen!A) may attempt to contact the following remote sites using TCP port 80:
christophe.oicp.net
aliyilmaz.vicp.net
nakaambo.vicp.net
Additional Information
This worm may use a file icon resembling Windows Messenger:
or
Analysis by Cristian Craioveanu