Installation
Upon execution, Worm:Win32/Autorun.CS copies itself into the Windows system folder as the following with file attributes set to 'hidden':
<system folder>\csrs.exe
<system folder>\javamachine.exe
%windir%\winsys\svchosl.exe
The worm modifies the registry so to execute the dropped worm copy at each Windows start.
Adds value: "SunJavaUp"
With data: "<system folder>\javamachine.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm creates small data files 60 bytes in size. The files have random file names with various file extensions such as .exe, .dll, .sys, .jpg as in the following example:
%windir%\winsys\mrqktovh.exe
%windir%\winsys\ialdosdw.exe
%windir%\winsys\xxdnvdys.exe
%windir%\winsys\nutxcnuo.exe
%windir%\winsys\dskiixqk.exe
%windir%\winsys\abgbebyy.sys
%windir%\winsys\pywlkluu.sys
%windir%\winsys\kqaxxqhl.sys
The content of the data files is a string of 0 and 1 digits as in the following example:
0000000101001010100101001101100001010010101010010100101010
Spreads Via...
Removable Drives
Worm:Win32/Autorun.CS may copy itself to removable drives as an executable file. The worm then writes an autorun configuration file named 'autorun.inf' pointing to the worm copy. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Modifies system settings
The worm disables the use of Task Manager by modifying registry data.
Adds value: "DisableTaskmgr"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
The worm disables the display of files having file attributes set to "hidden".
Adds value: "Hidden"
With data: "2"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Analysis by Wei Li
