W32/AutoRun.BBC!worm

Visible Symptoms

• The following files exist:
  
  
  • %SYSTEM%\wmimngr.exe
  • %SYSTEM%\wpmgr.exe


• The following files exist under all the removable physical partitions:
  
  
  • autorun.inf
  • RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
  • RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\Desktop.ini


• Possible firewall alert that an executable is attempting to connect to the Internet.

Detailed Analysis

• Creates a copy of itself to the %SYSTEM% folder named wmimngr.exe  and then registers itself to run at each Windows startup by creating the following registry:
  
  
  • key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • value: Windows Management
  • data: %SYSTEM%\wmimngr.exe


• Adds the following registry:
  
  
  • key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • value: %SYSTEM%\wmimngr.exe
  • data: %SYSTEM%\wmimngr.exe:*:Enabled:Explorer


• Drops the following file and then executes it:
  
  
  • %SYSTEM%\wpmgr.exe
  
  This dropped file is detected as W32/Buzus.CVDN!tr.


• Creates new folders named RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\  under all the removable drives. It then copies itself to the new folders as redmond.exe.


• Creates several copies of itself to some popular applications' shared folders with deceiving names, such as:
  
  
  • C:\Program Files\icq\shared folder\K-Lite codecpack 3.10 full.exe
  • C:\Program Files\grokster\my grokster\Perfect keylogger family edition with crack.exe
  • C:\Program Files\emule\incoming\Microsoft Visual Studio 2008 KeyGen.exe
  • C:\Downloads\Ad-aware 2009.exe


• The worm harvests email addresses from the Windows Address Book and from files that have any of the following extensions:
  
  
  • txt
  • htm*
  • sht*
  • php*
  • asp*
  • dbx*
  • tbb*
  • adb*
  • wab
  • pl
  
  It uses its own SMTP engine to send itself to those harvested addresses.