MSIL/Autorun.Spy.Agent.AU [Threat Name] go to Threat

MSIL/Autorun.Spy.Agent.AU [Threat Variant Name]

Category worm
Size 1559364 B
Detection created Jan 08, 2014
Signature database version 9404
Aliases TrojanSpy:MSIL/Golroted.B (Microsoft)
  Trojan.PWS.Stealer.13025 (Dr.Web)
  TR/Drop.Autoit.ykca (Avira)
Short description

MSIL/Autorun.Spy.Agent.AU is a worm that steals passwords and other sensitive information. The worm attempts to send gathered information to a remote machine.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %appdata%\­%variable1%\­%variable2%
  • %localappdata%\­%variable1%\­%variable2%
  • %personal%\­%variable1%\­%variable2%
  • %temp%\­%variable1%\­%variable2%
  • %appdata%\­%variable3%

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable4%" = "%malwarefilepath%"

This causes the worm to be executed on every system start.


The worm schedules a task that causes the following file to be executed when a user logs in:

  • %malwarefilepath%

The worm may create the following files:

  • %temp%\­EBFile_%variable5%
  • %temp%\­BFile_%variable6%
  • %temp%\­%variable7%
  • %workingfolder%\­%variable7%

A string with variable content is used instead of %variable1-7% .


The files are then executed.


The worm launches the following processes:

  • %malwarefilepath%
  • %windir%\­Microsoft.NET\­Framework\­v2.0.50727\­RegSvcs.exe
  • %windir%\­Microsoft.NET\­Framework\­v4.0.30319\­RegSvcs.exe
  • %windir%\­System32\­svchost.exe
  • %defaultbrowser%
  • %windir%\­System32\­notepad.exe

The worm creates and runs a new thread with its own code within these running processes.


The worm terminates its execution if it detects that it's running in a specific virtual environment.


After the installation is complete, the worm deletes the original executable file.

Spreading on removable media

The worm may be spread via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • Sys.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • operating system version
  • language settings
  • installed firewall application
  • installed antivirus software

The following programs are affected:

  • Eudora
  • Gmail Notifier
  • Google Chrome
  • Google Desktop
  • Google Talk
  • Group Mail Free
  • Hotmail
  • IncrediMail
  • Internet Explorer
  • Live Messenger application.
  • Microsoft Outlook
  • Minecraft
  • Mozilla Firefox
  • Mozilla Thunderbird
  • MSN Messenger
  • Netscape
  • Opera
  • Outlook Express
  • Safari
  • Windows Live Mail
  • Windows Mail
  • Windows Messenger
  • Yahoo! Mail

The worm is able to log keystrokes.


The worm attempts to send gathered information to a remote machine.


The FTP, HTTP protocol or e-mail is used.

Other information

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • display a dialog window
  • open a specific URL address
  • block access to specific websites
  • delete cookies

Configuration is stored in the following file:

  • %malwarefilepath%

The worm can terminate the following processes:

  • Taskmgr.exe
  • cmd.exe
  • msconfig.exe
  • regedit.exe
  • Steam.exe

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 1

The worm keeps various information in the following files:

  • %temp%\­SysInfo.txt
  • %appdata%\­pid.txt
  • %appdata%\­pidloc.txt

The worm can modify the following file:

  • %system%\­drivers\­etc\­hosts

The worm may delete the following files:

  • %programfiles%\­Steam\­config
  • %programfiles%\­Steam\­SteamAppData.vdf
  • %programfiles%\­Steam\­ClientRegistry.blob

Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.