This application requires Javascript for optimal performance.

W32/AutoRun.BBC!worm - Released Feb 19, 2009 - Last Updated Dec 29, 2009

Alias/es

Trojan.Win32.Buzus.cvcz (KAV), W32/Autorun.worm.bbc (McAfee)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following files exist:

    • %SYSTEM%\wmimngr.exe
    • %SYSTEM%\wpmgr.exe

  • The following files exist under all the removable physical partitions:

    • autorun.inf
    • RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
    • RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini

  • Possible firewall alert that an executable is attempting to connect to the Internet.

Detailed Analysis


  • Creates a copy of itself to the %SYSTEM% folder named wmimngr.exe  and then registers itself to run at each Windows startup by creating the following registry:

    • key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • value: Windows Management
    • data: %SYSTEM%\wmimngr.exe

  • Adds the following registry:

    • key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • value: %SYSTEM%\wmimngr.exe
    • data: %SYSTEM%\wmimngr.exe:*:Enabled:Explorer

  • Drops the following file and then executes it:

    • %SYSTEM%\wpmgr.exe

    This dropped file is detected as W32/Buzus.CVDN!tr.

  • Creates new folders named RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\  under all the removable drives. It then copies itself to the new folders as redmond.exe.

  • Creates several copies of itself to some popular applications' shared folders with deceiving names, such as:

    • C:\Program Files\icq\shared folder\K-Lite codecpack 3.10 full.exe
    • C:\Program Files\grokster\my grokster\Perfect keylogger family edition with crack.exe
    • C:\Program Files\emule\incoming\Microsoft Visual Studio 2008 KeyGen.exe
    • C:\Downloads\Ad-aware 2009.exe

  • The worm harvests email addresses from the Windows Address Book and from files that have any of the following extensions:

    • txt
    • htm*
    • sht*
    • php*
    • asp*
    • dbx*
    • tbb*
    • adb*
    • wab
    • pl

    It uses its own SMTP engine to send itself to those harvested addresses.


Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 757184