Worm:Win32/Autorun.CH is a worm that spreads by dropping copies of itself onto all available removable drives. It also drops other malware and modifies system security settings.
Installation
When run, Worm:Win32/Autorun.CH copies itself to the following:
- %windir%\fonts\fonts.exe
- %windir%\fonts\tskmgr.exe
- %windir%\help\microsoft.hlp
- %windir%\media\rndll32.pif
- %windir%\pchealth\global.exe
- %windir%\pchealth\helpctr\binaries\helphost.com
- %windir%\system\keyboard.exe
- <system folder>\dllcache\default.exe
- <system folder>\dllcache\global.exe
- <system folder>\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe
- <system folder>\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe
- <system folder>\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe
- <system folder>\dllcache\svchost.exe
- <system folder>\drivers\drivers.cab.exe
- <system folder>\regedit.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".
The malware modifies the following registry entries to ensure that its copy runs at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "%windir%\system\keyboard.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "sys"
With data: "%windir%\fonts\fonts.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "(default)"
With data: "<system folder>\dllcache\default.exe"
The malware modifies the following registry entries so that a copy of the worm is run whenever a file with an .msc or .reg extension is opened:
In subkey: HKLM\SOFTWARE\Classes\MSCFile\Shell\Open\Command
Sets value: "(default)"
With data: "%windir%\pchealth\global.exe"
In subkey: HKLM\SOFTWARE\Classes\regfile\Shell\Open\Command
Sets value: "(default)"
With data: "%windir%\pchealth\global.exe"
The malware modifies the following registry entries so that the worm will run instead of Task Manager and other legitimate system applications:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe
Sets value: "Debugger"
With data: "<system folder>\drivers\drivers.cab.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe
Sets value: "Debugger"
With data: "<system folder>\drivers\drivers.cab.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Sets value: "Debugger"
With data: "<system folder>\drivers\drivers.cab.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
Sets value: "Debugger"
With data: "%windir%\fonts\fonts.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Sets value: "Debugger"
With data: "%windir%\fonts\fonts.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Sets value: "Debugger"
With data: "%windir%\media\rndll32.pif"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Sets value: "Debugger"
With data: "%windir%\pchealth\helpctr\binaries\helphost.com"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Sets value: "Debugger"
With data: "%windir%\fonts\tskmgr.exe"
The malware modifies the following registry entry so that the worm will run instead of your screensaver:
In subkey: HKCU\Control Panel\Desktop
Sets value: "SCRNSAVE.EXE"
With data: "%windir%\pchealth\helpctr\binaries\helphost.com"
Spreads via…
Removable and network drives
When run, Worm:Win32/Autorun.CH copies itself as "ms-dos.com" to the root directory of all removable and network drives.
It also places an "autorun.inf" file, detected as Worm:Win32/Autorun.JQ!inf, in the root directory of the targeted removable or network drive. Such files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payload
Drops other malware
Worm:Win32/Autorun.CH drops the following files onto your computer:
- %windir%\cursors\boom.vbs - detected as Trojan:VBS/Autorun.A
- <system folder>\dllcache\autorun.inf - detected as Worm:Win32/Autorun.JQ!inf
Modifies system security settings
Worm:Win32/Autorun.CH modifies your computer's security settings by making a number of changes to the registry.
It prevents files with the extension .com or .exe from having their extension displayed in Windows Explorer:
In subkey: HKLM\SOFTWARE\Classes\comfile
Sets value: "NeverShowExt"
With data: "1"
In subkey: HKLM\SOFTWARE\Classes\exefile
Sets value: "NeverShowExt"
With data: "1"
It prevents your computer from displaying messages reminding you to wait while your computer starts or shuts down, or while you log on or off:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableStatusMessages"
With data: "1"
It changes the group policy settings of your computer:
In subkey: HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0
Sets value: "DisplayName"
With data: "local group policy"
In subkey: HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0
Sets value: "Parameters"
With data: "0"
In subkey: HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\0
Sets value: "DisplayName"
With data: "local group policy"
In subkey: HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0
Sets value: "Parameters"
With data: "0"
In subkey: HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0
Sets value: "DisplayName"
With data: "local group policy"
In subkey: HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\0
Sets value: "Parameters"
With data: "0"
Additional information
Worm:Win32/Autorun.CH also modifies the following registry entries that do not adversely affect your computer:
In subkey: HKLM\SOFTWARE\Classes\.vbs
Sets value: "(default)"
With data: "vbsfile"
In subkey: HKCU\Software\VB and VBA Program Settings\trial version\trial
Sets value: "date1"
With data: "8/2/2011"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: "ValueName"
With data: "showsuperhiden"
Related encyclopedia entries
Worm:Win32/Autorun.JQ!inf
Trojan:VBS/Autorun.A
Analysis by Hyun Choi