Win32/Autoit.NB [Threat Name] go to Threat

Win32/Autoit.NB [Threat Variant Name]

Category worm
Size 946176 B
Detection created Jul 08, 2016
Detection database version 13773
Aliases Trojan.Win32.Autoit.fdn (Kaspersky)
  Worm:Win32/Ippedo.I (Microsoft)
  Trojan.AutoHit.12866 (Dr.Web)
Short description

Win32/Autoit.NB is a worm that spreads via removable media. Win32/Autoit.NB serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • C:\­Google\­%malwarefilename%

The C:\Google\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The worm creates the following files:

  • C:\­Google\­Windowsupdate.lnk
  • C:\­Google\­GoogleUpdate.lnk

These are shortcuts to files of the worm .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "C:\­Google\­Windowsupdate.lnk"
    • "JavaUpdate" = "C:\­Google\­GoogleUpdate.lnk"
    • "NewJavaInstall" = "C:\­Google\­%malwarefilename%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "C:\­Google\­Windowsupdate.lnk"
    • "AdopeUpdate" = "C:\­Google\­GoogleUpdate.lnk"
    • "AdopeFlash" = "C:\­Google\­%malwarefilename%"

The worm creates the following files:

  • %commonstartup%\­Windows Update.lnk
  • %commonstartup%\­GoogleUpdate.lnk

These are shortcuts to files of the worm .


This causes the worm to be executed on every system start.


The worm executes the following files:

  • C:\­Google\­%malwarefilename%

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

The worm attempts to delete the following file:

  • %workingfolder%\­googleupdate.vbs

The following Registry entry is deleted:

  • [HKEY_CLASSES_ROOT\­lnkfile\­IsShortcut]

The worm terminates its execution if it detects that it's running in a specific virtual environment.


Worm quits immediately if it detects loaded module within its own process containing one of the following strings in its name:

  • snxhk.dll
  • tracer.dll
  • SbieDll.dll
  • api_log.dll
  • dir_watch.dll
  • dbghelp.dll
  • monitornet.dll
  • cuckoo
  • SandCastle
  • sandbox

The worm quits immediately if it detects a running process containing one of the following strings in its name:

  • VBoxService.exe
  • VBoxTray.exe
  • guninraik.exe
  • SbieSvc.exe
  • VMwareTray.exe
  • VMwareUser.exe
  • VMwareService.exe
  • VMwareUser.exe
  • FortiTracer.exe
  • vmacthlp.exe
  • vmtoolsd.exe
  • BehaviorDumper.exe
  • FakeServer.exe
  • FakeHTTPServer.exe

The worm quits immediately if the executable file path contains one of the following strings:

  • artifact
  • sample
  • C:\­virus\­%malwarefilename%
  • C:\­%malwarefilename%

The worm quits immediately if any of the following folders/files is detected:

  • C:\­CWSandbox\­
  • C:\­python26\­
  • C:\­cuckoo\­
Spreading

The worm searches for available local and removable drives.


The worm creates copies of the following files (source, destination):

  • C:\­Google\­Windowsupdate.lnk, %drive%\­Skypee\­Windowsupdate.lnk
  • C:\­Google\­GoogleUpdate.lnk, %drive%\­Skypee\­GoogleUpdate.lnk
  • C:\­Google\­%malwarefilename%, %drive%\­Skypee\­%malwarefilename%

The worm searches for files and folders in the root folders of removable drives.


When searching the drives, the worm creates the following file in every folder visited:

  • %foundfoldername%.lnk

The file is a shortcut to a malicious file.


The worm creates the following files:

  • %drive%\­My Games.lnk
  • %drive%\­My Pictuers.lnk
  • %drive%\­My Videos.lnk
  • %drive%\­Hot.lnk
  • %drive%\­Downloads.lnk
  • %drive%\­Movies.lnk

These are shortcuts to files of the worm .

Information stealing

The worm collects the following information:

  • computer name
  • user name
  • volume serial number
  • country
  • operating system version
  • installed antivirus software
  • malware version

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a URL address. The TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • stop itself for a certain time period
  • execute shell commands
  • update itself to a newer version
  • uninstall itself
  • display a dialog window
  • send gathered information
  • shut down/restart the computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.