Worm:Win32/Autorun.FC is a worm that spreads via removable drives and attempts to download files from a remote Web address.
Installation
When Win32/Autorun.FC is run, it drops the following files:
%TEMP%\6d73776d706461742e746c62fa.tmp - copy of the worm
<system folder>\<random name>.dll - copy of the worm
<system folder>\mssysmgr.ocx - encrypted data file
<system folder>\mswmpdat.tlb - encrypted data file
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The files mssysmgr.ocx and mswmpdat.tlb record the installation and location information of the worm. The registry is modified to run Win32/Autorun.FC at each Windows start.
Adds value: "@"
With data: "<system folder>\<random name>.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{8F147B28-EF39-44A0-B6EC-3CC6F2F08794}\InprocServer32
Adds value: "@"
With data: "Java.Runtime.52"
To subkey: HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
Adds value: "ThreadingModel"
With data: "Apartment"
To subkey: HKLM\Software\Classes\CLSID\{FBC38650-8B81-4BE2-B321-EEFF22D7DC62}
Adds value: "ID"
With data: "00 03 FF 88 A2 6E 00 00"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\StrtdCfg
Spread Via
Removable Drives
After installed, Worm:Win32/Autorun.FC will inject malicious code into the Internet Explorer process (iexpolore.exe). The injected code creates a copy of Win32/Autorun.FC on each removable drive as a randomly named file with a .DLL file extension and writes an autorun configuration file named 'autorun.inf' pointing to the worm copy.
When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Payload
Downloads Files
Worm:Win32/Autorun.CD attempts to download unwanted software from the domain 'worldnews.ath.cx'.
Analysis by Tim Liu