Yet another worm that infects removable drives was discovered.
The Win32/SillyAutorun.FTW was recently found in the wild. The worm is written with Microsoft Visual Studio and uses injection engine – worm’s code overwrites the original code in memory. When it runs on infected machine, it first
copies itself to %ApplicationData%\E-73473-3674-74335\msnrsmsn.exe; where %ApplicationData% is application data folder of the current user, for example:
C:\Documents and Settings\Administrator\Application Data\E-73473-3674-74335\msnrsmsn.exe.
The worm terminates its initial process and runs the cloned file. Then writes registry key to run after every reboot: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft3264OSUpdate
Then the worm verifies whether removable drive is connected to the computer and starts infecting it. A difference from previously found worms is that the drive is infected not immediately but after some time, also all the infected files are written not at once, but one by one. This is a human engineering trick that prevents worm detection by infected users – a user inserts a USB key and does not see any immediate change, so the user does not suspect that the computer is actually infected. The method of infection is similar to known ones, but has some differences – link files are used. For every folder in the root directory of the drive the worm creates link file named after the folder with appended “s”, for example folder “Documents” it creates “Documentss.lnk”. The folders attributes are changed to hidden and system, so they are invisible in Explorer if option “Show hidden files” is not chosen. The worm additionally changes this option at infected computer via registry.
The links are seen instead of folders, a user inserts infected USB drive, clicks on the link of the worm instead of the folder and gets infected. Further the worm creates hidden folder “Drivers” on infected USB and copy itself named after the hidden folder, for example:
F:\Documents – hidden folder
F:\Documentss.lnk – link to worm
F:\Drivers\Documents.exe – worm’s copy responsible for this folder
The folder’s icon is icon of shell – same as icon of folder. Clicking the link runs a copy of the worm that infects the computer and then displays the content of the folder to avoid suspicion.
The recommendations to avoid the infection are same as ones for similar worms. Turn ON the options to “Show hidden files” and “Show extension” in Explorer. Or, even better, do not use Explorer, use different file manager instead, since Explorer is often a victim of malware.
Additionally, the worm uses IRC to send messages in different languages with infected attachment, for example:
belas fotos nao de voce
vakre bilder fra deg.
hoi niet mooi fotos
ich sag nur geile fotos.
Leave a reply