Installation
Upon execution, this threat drops a copy of the malicious AU3 script that is heavily obfuscated as: C:\AntiShortCut\AntiUsbShortCut.zip
It creates the following files:
- C:\AntiShortCut\AntiUsb.exe - Clean AutoIt Exe that runs Au3 malware
- C:\AntiShortCut\BrowsingHistoryView.exe - binary that can track browser history and log this into a file
- C:\AntiShortCut\BrowsingHistoryView.txt - log file containing browser history tracking per URL visited
Numerous copies of the shortcut link file will be dropped in different folders that has the following command line:
- \WINDOWS\system32\cmd.exe /c start \AntiShortCut\AntiUsb.exe% "C:\AntiShortCut\AntiUsbShortCut.zip"
This threat also goes through subfolders in the directory and creates copies of the shortcut that will launch the worm. Here's a list of sample paths or file names:
- %startup%\AntiShortCutUpdate.lnk
- %Startup%\AntiUsbWormUpdate.lnk
- C:\AntiShortCut\AntiShortCut.lnk
- Music.lnk
- My documents.lnk
- My downloads.lnk
It also attempts to find the following network shares or drives and propagate the worm on those paths:
- ADMIN$
- C:\
- C:\WINDOWS
- Default share
- IPC$
- Remote Admin
- Remote IPC
It also checks if you have the following paths and if malware runs from these paths found and then exits:
- C:\cuckoo
- C:\CWSandbox
- C:\python26
It also checks if these antivirus-related processes exists, and exits if found:
- avguard.exe
- avp.exe
- kavsvc.exe
- vmacthlp.exe
- zonealarm.exe
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including:
Malware can connect to a remote host to do any of the following:
- Check for an Internet connection
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate
Modifies your settings without your consent
This threat modifies your registry entries so that it runs each time you start your PC. For example:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AntiShortCutUpdate"
With data: C:\AntiShortCut\AntiUsb.exe "C:\AntiShortCut\AntiUsbShortCut.zip"
and
With data: C:\WINDOWS\system32\cmd.exe /c start C:\AntiShortCut\AntiUsb.exe "C:\AntiShortCut\AntiUsbShortCut.zip" & exit
It also sets registry to hide system files:
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Collects your sensitive information
This threat can collect your sensitive information without your consent. This can include:
- The keys you press
- The applications you open
- Your web browsing history
- Your credit card information
- Your user names and passwords
It starts upon Browsinghistory.exe drop and execution. Stolen information are then logged into browsinghistory.txt.
It will also monitor your browser activities with the following online payment or shopping sites:
- Amazon
- Ebay
- Moneygram
- Paypal
- Skrill
- Ukash
- Western Union
It can also check cookies/cache to possibly search for user login information in the following paths/files:
-
Apple Computer\Safari\History.plist
-
Google\Chrome\User Data
-
Google\Chrome SxS\User Data
-
History
-
Microsoft\Windows\WebCache\WebCacheV01.dat
-
Microsoft\Windows\WebCache\WebCacheV24.dat
-
Mozilla\Firefox
-
Mozilla\Firefox\Profiles
-
Mozilla\SeaMonkey
-
Mozilla\SeaMonkey\Profiles
-
places.sqlite
It can also issue SQL commands to find more browser activities on the compromised machine. For example:
SELECT moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_historyvisits.visit_date, moz_historyvisits.visit_type, mo
z_historyvisits.from_visit FROM moz_historyvisits LEFT OUTER JOIN moz_places ON moz_historyvisits.place_id = moz_places.id
Analysis by Marianne Mallen
