Worm:Win32/Autorun.PG is a worm that spreads by copying itself into available drives.
Installation
Upon execution, Worm:Win32/Autorun.PG drops the following files with the hidden attribute:
- <system folder>\Restore\SVCHOST.EXE - copy of itself
- <system folder>\Restore\AutoRun.inf - initialization file that triggers execution of this worm if Autorun is enabled
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Note also that a legitimate Windows file named SVCHOST.EXE exists in <system folder>.
It then modifies the system registry so that it automatically runs its copy every time Windows starts:
Adds value: "SVCHOST"
With data: "<system folder>\Restore\SVCHOST.EXE"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry entries as part of its installation routine:
Adds value: "RegisteredOrganization"
With data: "Poison mp3"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Adds value: "RegisteredOwner"
With data: "01 Avril 2007"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Spreads Via...
Logical Drives
Worm:Win32/Autorun.PG enumerates all available drives, and drops the following files in the root folder of all drives found:
- Autorun.exe - copy of itself
- Autorun.inf - identical to the initialization file dropped in the Installation section above
Payload
Modifies System Settings
Autorun.PG modifies system settings to prevent the user from viewing all hidden files:
Adds value: "Hidden"
With data: "dword:00000000"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "ShowSuperHidden"
With data: "dword:00000000"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
It also disables the use of registry tools:
Adds value: "DisableRegistryTools"
With data: "dword:00000001"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
It also disables the ability to bypass startup programs (such as this worm, when installed):
Adds value: "IgnoreShiftOveride"
With data: "dword:00000001"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Analysis by Jireh Sanico