This application requires Javascript for optimal performance.

W32/Agent.5190!tr.dldr - Released Aug 26, 2008 - Last Updated Sep 08, 2008

Alias/es

Worm.Win32.AutoRun.lut, WORM_AUTORUN.ALX, Worm/Generic.JNL, Trojan.Downloader.Kobcka.C, W32/AutoRun.MQF!worm

Visible Symptoms

  • Deletes itself from the current directory.

  • The following files exist under the %ProgramFiles%\Microsoft Common\ folder.
    • wuauclt.exe

    Detailed Analysis


  • Adds the following registry entries:
    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\explorer.exe
    • value: Debugger
    • data: %Program Files%\Microsoft Common\wuauclt.exe
    • key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • value: svchost
    • data: %Program Files%\Microsoft Common\wuauclt.exe
    • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • value: default
    • data: %Program Files%Microsoft Common\wuauclt.exe:*:Enabled:EMOTIONS_EXECUTABLE
  • Drops a SYS file with a random file name to the %System%\drivers folder, and registers the file as a system service. The service will disable the antivirus software running on the system.

  • Injects malicious code into the following processes:
    • svchost.exe
    • iexplorer.exe
    • explorer.exe
  • Downloads data from the following URLs:
    • http://aas{removed}.ru/load4/ld.php?v=1&rs=%u
    • http://aas{removed}.ru/load4/ld.php?v=1&id=%s&rs=%u&cc=0
    • http://aas{removed}.ru/load4/ld.php?v=1&rs=%u&n=1
    • http://aas{removed}.ru/load4/ld.php?v=1&id=%s&rs=%u&n=1&cc=0
    • http://aas{removed}.ru/loadx/ld.php?v=1&rs=%u
    • http://aas{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&cc=0
    • http://aas{removed}.ru/loadx/ld.php?v=1&rs=%u&n=1
    • http://aas{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&n=1&cc=0
  • The downloaded data is a list of URLs which point to updated malwares. The injected code will download the malwares on the list and execute them.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 546884