Worm:Win32/Folstart.A is a worm that spreads through removable drives and modifies some system settings.
Installation
Upon execution, Worm:Win32/Folstart.A creates a copy of itself as the following file:
%APPDATA%\Start\update.exe
Copying the file to this location also enables it to execute at each Windows start.
Worm:Win32/Folstart.A also creates the following hidden folders:
- %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
- %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom
- %APPDATA%\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr
Worm:Win32/Folstart.A also uses a folder icon as its file icon:
Spreads Via...
Removable drives
Worm:Win32/Forstart.A queries the following registry entry to determine if any, and if so how many, USB devices are connected to the computer:
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum
If a USB device is found, the worm searches the drive for folders that may exist and copies itself to the drive using the same name as the folder, without an extension. For example, if the USB drive has a folder named "New Folder", then the worm copies itself in the USB drive as an executable named "New Folder", without an extension. In combination with using a folder icon as its file icon, the worm does this to mislead users into running its copy, thinking it is the folder.
It also creates the following hidden folders on the USB drive:
- <drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc
- <drive>\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr
Payload
Modifies system settings
Worm:Win32/Folstart modifies system settings by making a number of registry modifications.
- Sets the following so that hidden files are not shown in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "2" - Sets the following in order to hide file extensions when files are viewed using Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1" - Sets the following so that hidden operating system files are not displayed in Windows Explorer:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Sets value: "ShowSuperHidden"
With data: "0"
Analysis by Amir Fouda