W32/AutoRun.ATE!tr - Released Oct 30, 2008 - Last Updated Nov 04, 2008
|
Alias/esTrojan-Downloader.Win32.Agent.anaq(KAV), Spy-Agent.bw trojan(McAfee), W32/Autorun.AEE.worm(Panda), Worm:W32/AutoRun.JB(F-Secure), W32/Agent.5190!tr.dldr. |
Visible SymptomsDeletes itself from the current directory.
The following files exist under the %ProgramFiles%\Microsoft Common\ folder.
The following files exist under the root folder of all removable physical partitions:
|
Detailed Analysis
It adds the following registry:
- key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\explorer.exe
- value: Debugger
- data: %Program Files%\Microsoft Common\wuauclt.exe
Injects malicious code into the following processes:
May start an instance of the iexplorer.exe process and inject malicious codes into it.
Downloads files from the following URLs:
- http://{REMOVED}.php?v=1&rs={RANDOM}&uid=1
- http://{REMOVED}.php?v=1&id={RANDOM}&rs={RANDOM}&cc=0&uid=1
- http://{REMOVED}.php?v=1&rs={RANDOM}&n=1&uid=1
- http://{REMOVED}.php?v=1&id={RANDOM}&rs={RANDOM}&n=1&cc=0&uid=1
- http://{REMOVED}.php?v=1&rs={RANDOM}&uid=1
- http://{REMOVED}.php?v=1&id={RANDOM}&rs={RANDOM}&cc=0&uid=1
- http://{REMOVED}.php?v=1&rs={RANDOM}&n=1&uid=1
- http://{REMOVED}.php?v=1&id={RANDOM}&rs={RANDOM}&n=1&cc=0&uid=1
It searches for all removable physical partitions, and creates the following files under the root folder of these partitions:
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
