Threat behavior
Worm:Win32/Autorun.HO is a worm that spreads via logical drives. It also disables autorun in the infected system to prevent other Autorun worm infections in the future.
Installation
Win32/Autorun.HO!bat is dropped by Win32/Autorun.HO. This worm activates when a user connects to an infected drive with autoplay enabled in Spanish language versions of Windows. Upon execution, Worm:Win32/Autorun.HO copies itself as %TEMP%\1.tmp\b2e.exe and runs the dropped copy that drops a batch as the following:
%TEMP%\batfile.bat - detected as Worm:Win32/Autorun.HO!bat
Win32/Autorun.HO!bat contains the worm code and payload and is run via a command shell. When the batch script runs, it copies '%TEMP%\1.tmp\b2e.exe' as 'C:\WINDOWS\system32\afido.exe' using XCOPY.EXE and then uses REG.EXE to modify the registry to run 'afido.exe' at each Windows start.
Adds value: "opesys"
With data: "C:\WINDOWS\system32\afido.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via..
Logical Drives
Win32/Autorun.HO!bat copies 'C:\WINDOWS\system32\afido.exe' in all writeable drives from D: to Z: as <drive:>\afido.exe and then writes an autorun configuration file named 'autorun.inf' pointing to '<drive:>\afido.exe'. Next, the batch script sets the file attributes of 'afido.exe' and 'autorun.inf' to 'hidden' and 'system' using ATTRIB.EXE.
When the infected removable or networked drive is accessed from another (Spanish Windows) machine running supporting the Autorun feature, the malware is launched automatically. The file 'autorun.inf' is detected as
Worm:Win32/Autorun.HO!inf.
Payload
Modifies System Settings
Worm:Win32/Autorun.HO modifies settings of the current system to disable Autorun. This is presumably to prevent future infections by other Autorun worms.
Adds value: "@"
With data: "@SYS:DoesNotExist"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Analysis by Cristian Craioveanu
Prevention