Worm.Win32.AutoIt_c0d2e08c3f

by malwarelabrobot on November 16th, 2013 in Malware Descriptions.

VirTool:Win32/CeeInject (Microsoft), Trojan.Win32.Neurevt.kb (Kaspersky), Trojan.DownLoader9.22851 (DrWeb), Artemis!C0D2E08C3F0D (McAfee), WS.Reputation.1 (Symantec), Inject2.GPM (AVG), Win32:Crypt-QEA [Trj] (Avast), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, Sinowal.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: c0d2e08c3f0d964858b8a9788aa6732e
SHA1: fd8749ed0eedb4ca07803565881a706c8869bd01
SHA256: 917627c7e3dec25d7eb80020c98804c8ff993922da9f0076200a8d4b6927a7ef
SSDeep: 6144:MTKdP784r0r2H/FQ4IoRKbxvXfHixWjovW1:phrJHK4L6/ixU
Size: 226617 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-13 16:02:03


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

ogtxcdlddjv.exe:476
%original file name%.exe:1796
%original file name%.exe:276
schtasks.exe:1860
schtasks.exe:1676

The Worm injects its code into the following process(es):

javaupd.exe:1772
idletask.exe:1924

File activity

The process ogtxcdlddjv.exe:476 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
%Program Files%\Java\jre7\javaupd.exe (16158 bytes)

The process %original file name%.exe:276 makes changes in the file system.
The Worm deletes the following file(s):

%Program Files%\Common Files\blacksilver0\00092d6d.txt (0 bytes)

The process javaupd.exe:1772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
%Program Files%\Common Files\mpir.dll (3929 bytes)
%Program Files%\Common Files\idletask.exe (3193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (5817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1857 bytes)
%Program Files%\Common Files\msvcp100.dll (4257 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1857 bytes)
%Program Files%\Common Files\msvcr100.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1625 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)

Registry activity

The process ogtxcdlddjv.exe:476 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CF 44 E0 BF 0B 3D DF F6 2D CD 25 89 0C EA 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"schtasks.exe" = "Schedule Tasks"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

The process %original file name%.exe:1796 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 D1 71 03 E3 FC EA FF F0 97 A4 16 63 6D 76 26"

The process %original file name%.exe:276 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E E8 F1 DD 20 56 5C 68 68 88 F1 6A 37 1D 05 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CG1]
"BID" = "20 00 08 00 0F 00 0B 00 DD 07 00 00 14 00 88 FF"

[HKCU\Software\Win7zip]
"Uuid" = "34 C5 5D 5D 81 77 17 4D 8C 39 0B 7D 84 E4 70 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CG1]
"HAL" = "05 EE 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfwhhydlr.exe]
"DisableExceptionChainValidation" = ""

The process javaupd.exe:1772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CW1]
"1772" = "88 00 00 00 C8 01 00 00 31 06 38 01 22 01 0A 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files]
"idletask.exe" = "idletask"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 0A 68 56 02 8E CE 8E F9 82 F5 70 3D D9 BD 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

The process schtasks.exe:1860 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC F2 C9 EB B3 A0 63 EF 4F C0 B1 D4 79 76 E2 47"

The process schtasks.exe:1676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 A4 76 D6 AA 1D BB 4D 09 79 9E E0 AB 17 C5 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process idletask.exe:1924 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC BA 7C 39 70 48 41 2F A7 5E D8 57 34 B4 CD 71"

[HKCU\Software\Classes\CLSID\{34C55D5D-8177-174D-8C39-0B7D84E4700B}\11440374\CW1]
"1924" = "88 00 00 00 80 01 00 00 31 06 18 00 12 01 0A 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Network activity (URLs)

URL IP
hxxp://dayzstreaming.co.uk/gato/order.php 37.221.170.194
hxxp://dayzstreaming.co.uk/javaupd.exe (Malicious)
update.microsoft.com 65.55.163.222


HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in dnsapi.dll:

DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

gethostbyname
getaddrinfo
GetAddrInfoW

The Worm installs the following user-mode hooks in ntdll.dll:

KiFastSystemCall

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ogtxcdlddjv.exe:476
    %original file name%.exe:1796
    %original file name%.exe:276
    schtasks.exe:1860
    schtasks.exe:1676

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\All Users\Start Menu\Programs\Startup\javaupd.exe (16158 bytes)
    %Program Files%\Java\jre7\javaupd.exe (16158 bytes)
    %Program Files%\Common Files\mpir.dll (3929 bytes)
    %Program Files%\Common Files\idletask.exe (3193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (5817 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1857 bytes)
    %Program Files%\Common Files\msvcp100.dll (4257 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1857 bytes)
    %Program Files%\Common Files\msvcr100.dll (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1625 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "JavaUpdate" = "%Program Files%\Java\jre7\javaupd.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.