This application requires Javascript for optimal performance.

W32/Autorun.OHZ!worm - Released Sep 22, 2008 - Last Updated Sep 25, 2008

Alias/es

Worm.Win32.AutoRun.ons, Adware/AntivirusXP2008, Worm:W32/AutoRun.GN, Spy-Agent.bw trojan

Visible Symptoms

  • Presence of the file %ProgramFiles%\Microsoft Common\wuauclt.exe  or system.exe  on external drives.

    • Detailed Analysis

    The malware is a worm that installs a Fraudaulent Antivirus Program on the infected host and also copies itself to external drives.

  • Its approximate filesize is 34,304 bytes.

  • Its icon resembles that of a Word Document file.

  • It attempts to connect to a remote location and drops the following files:
    • %System%blphc7q3j0e3ep.scr
    • %System%lphc7q3j0e3ep.exe
    • %System%phc7q3j0e3ep.bmp
    • %System%pphc7q3j0e3ep.exe
    • %System%rs32net.exe
    • %Windows%\Temp\.tt33.tmp.vbs
    • %Windows%\Temp\.tt37.tmp.exe
    • %ProgramFiles%\Microsoft Common\wuauclt.exe
  • It also creates the following folders:
    • %CurrentUser%\Application Data\rhc3q3j0e3ep
    • %ProgramFiles%\rhc3q3j0e3ep
  • As a part of its worm functions, it drops a copy of itself to external drives using the filename system.exe  and an accompanying autorun.inf  file, which enables the worm to be automatically executed when the drive is accessed.

  • It applies the following registry modifications to automatically execute itself during startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      lphc7q3j0e3ep = "%System%\lphc7q3j0e3ep.exe"
      rs32net = "%System%\rs32net.exe"
      SMrhc3q3j0e3ep = "%ProgramFiles%\rhc3q3j0e3ep\rhc3q3j0e3ep.exe"

    HKEY_LOCAL_MACHINE\SOFTWARE\rhc3q3j0e3ep
  • It modifies the infected user's desktop wallpaper and screensaver by applying the following registry modifications:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
      NoDispBackgroundPage = 1
      NoDispScrSavPage = 1

    HKEY_CURRENT_USER\Control Panel\Desktop   ConvertedWallpaper = "%Systemr%\phc7q3j0e3ep.bmp"
      SCRNSAVE.EXE = "%System%\blphc7q3j0e3ep.scr"
      Wallpaper = "%System%\phc7q3j0e3ep.bmp"
      WallpaperStyle = "0"
      OriginalWallpaper = "%System%\phc7q3j0e3ep.bmp"
  • The fraudulent antivirus has an interface similar to the screenshot below:


    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 563950