Worm.Win32.AutoIt_7ec002fac8

by malwarelabrobot on January 25th, 2014 in Malware Descriptions.

Trojan.Generic.9585003 (BitDefender), Trojan.Win32.Generic!BT (VIPRE), Trojan.Hosts.17111 (DrWeb), Trojan.Generic.9585003 (B) (Emsisoft), Artemis!7EC002FAC8D4 (McAfee), WS.Reputation.1 (Symantec), Trojan.SuspectCRC (Ikarus), Trojan.Generic.9585003 (FSecure), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 7ec002fac8d4b5eb36eb7340a77f4444
SHA1: 01d342d4d8a91c14229b050ecedc30db6596f8a5
SHA256: 55938227f0c84ab510b58d0d810608cb6e1c56d58ccdf4db5a4c0fa429d7d510
SSDeep: 49152:6JZoQrbTFZY1ianJWM NOFoIpqy26oIpqf:6trbTA1AM Nsony26onf
Size: 1834576 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

winmodule.exe:500
%original file name%.exe:1860

The Worm injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:1860 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%System%\winupdater.exe (7185 bytes)
%System%\winmodule.exe (8585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tjncotc (2017 bytes)
%System%\drivers\etc\hosts (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (3465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (980 bytes)
%System%\drivers\etc\hosts_backup (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (5833 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tjncotc (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

Registry activity

The process winmodule.exe:500 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 2D B7 53 6E 07 A0 A5 84 E1 02 85 7D 06 7E 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 35 29 C8 27 B6 42 BE 24 95 E0 4E 9E 61 1B 94"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Worm modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 766 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.blockscape.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    winmodule.exe:500
    %original file name%.exe:1860

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %System%\winupdater.exe (7185 bytes)
    %System%\winmodule.exe (8585 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tjncotc (2017 bytes)
    %System%\drivers\etc\hosts (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (3465 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (980 bytes)
    %System%\drivers\etc\hosts_backup (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (5833 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.