Win32/AutoRun.Autoit.BJ [Threat Name] go to Threat

Win32/AutoRun.Autoit.BJ [Threat Variant Name]

Category worm
Size 519452 B
Aliases Worm.Win32.AutoIt.aei (Kaspersky)
  W32/Autorun.worm.bcb.virus (McAfee)
  Worm:Win32/Katar.A (Microsoft)
  W32.SillyFDC (Symantec)
Short description

Win32/AutoRun.Autoit.BJ is a worm that spreads via e-mail, shared folders and removable media.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %system%\­Load Runner.exe
  • %system%\­Rooter.exe
  • %system%\­ABCDEFGHIJKLMNOPQRSTUVWXYZ.exe
  • %system%\­KHATRA.exe
  • %homedrive%\­KHATRA.exe
  • %windir%\­Xplorer_exe
  • %windir%\­System\­ghost.exe
  • %windir%\­KHATARNAKH.exe
  • %drive%\­KHATRA.exe
  • %drive%\­%username%.exe
  • %drive%\­New Folder(3).exe

The following files are dropped:

  • %commonstartup%\­(Empty).LNK
  • %startup%\­(Empty).LNK

These are shortcuts to files of the worm .


The worm creates the following files:

  • %windir%\­inf\­Autoplay.inF (234 B, Win32/AutoRun.Autoit.AH)
  • %system%\­avphost.dll (130560 B)
  • %temp%\­~Kpc%variable%.tmp (30208 B)
  • %windir%\­New WinZip File.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­New WinRAR archive.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­new-screamsaver.com.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­fh_antivirussetup6534.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­mario675.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­kavSetupEng3857.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­Youtube.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­CyberWar.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­New WinRAR ZIP archive.cab (407764 B, Win32/AutoRun.Autoit.BJ)
  • %windir%\­supermodels.cab (407764 B, Win32/AutoRun.Autoit.BJ)

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Xplorer" = "%windir%\­Xplorer.exe /Windows"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "G_Host" = "%windir%\­System\­ghost.exe /Reproduce"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = %system%\­KHATRA.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" =  "%system%\­KHATRA.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 597
    • "NoControlPanel" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Window Title" = "InternetExploiter"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0
  • [HKEY_CURRENT_USER\­Software\­Nico Mak Computing\­WinZip\­caution]
    • "NoUnsafeTypeCautionForSCR" = 1
    • "NoUnsafeTypeCautionForEXE" = 1

The worm schedules a task that causes the following file to be executed daily:

  • %system%\­KHATRA.exe

The worm executes the following files:

  • %system%\­KHATRA.exe
  • %windir%\­Xplorer_exe /Windows
  • %windir%\­System\­ghost.exe /Reproduce

The worm moves the content of the following folders (source, destination):

  • %commonstartup%, %windir%\­K.Backup\­
  • %startup%, %windir%\­K.Backup\­
Spreading via e-mail

Win32/AutoRun.Autoit.BJ is a worm that spreads via e-mail.


For its distribution, the worm uses e-mail adresses from the contact lists of the following applications:

  • Windows Live Mail
  • Microsoft Outlook

The sender's address is spoofed.


Subject of the message is one of the following:

  • checkout this beauty
  • my new screensaver
  • Conratulations you are our randomly picked winner
  • the new Fast Heal Anti-Virus™ has just been released
  • Mario game FREE!
  • 50% discount on Kaspersky Anti-Virus!
  • Hacking software i have finally got it!
  • My new program
  • supermodels pictures slideshow

Body of the message can contain some of the following:

  • just checkout this girl posing in a Red bikini!
  • just watch my new screensaver, i have made it myself!
  • Conratulations! you have just won a free screensaver, so go ahead and download the attachment. Don't worry no viruses or malware of any kind 100% guaranteed.
  • Fast Heal Anti-Virus™ has been released so forget about the boring old Quick Heal and download this free version. Just download the attachment and run the file, that will automatically download the free version.
  • The Mario is Back! so throw away all those other games, the real Mario is here. So don't wait for any other minute, Just start playing!
  • Hurry download the attachment now! That is the only way to get a 50% discount or a free version of Kaspersky Anti-Virus. After downloading, run the file which will automatically download the latest version alailable.
  • Hello! I have just downloaded this software that allows me to download any video from youtube for free, so i attached that software in this message. Try it, its great!
  • Guess what, I have just downloaded this software that allows me to hack on someone elses computer.I just read the help file once and used it and it works! I have also sent you a copy, try it.
  • Hi, I have just created a new program that searches and deletes temporary unused files and recovers some disk space. I have mailed that file to you, try it and tell me if you like it.
  • open this attachment and run the file, it contains the picture slideshow of some supermodels.

The attachment is an archive, containing an executable of the worm.


Name of the attachment is one of the following:

  • New WinZip File.cab
  • New WinRAR archive.cab
  • new-screamsaver.com.cab
  • fh_antivirussetup6534.cab
  • mario675.cab
  • kavSetupEng3857.cab
  • Youtube.cab
  • CyberWar.cab
  • New WinRAR ZIP archive.cab
  • supermodels.cab
Spreading via shared folders

The worm tries to copy itself to the available shared network folders.


The following names are used:

  • KHATRA.exe
  • %username%.exe
  • New Folder(3).exe

The name of the file may be based on the name of an existing file or folder.


The following file is dropped in the same folder:

  • AUTORUN.inF

The AUTORUN.INF file contains the path to the malware executable.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following names:

  • KHATRA.exe
  • %username%.exe
  • New Folder(3).exe

The following file is dropped in the same folder: AUTORUN.inF


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm copies itself into existing folders of removable drives.


The name of the file may be based on the name of an existing file or folder.


The filename has the following extension: ".exe"

Information stealing

The worm collects the following information:

  • computer IP address
  • information about the operating system and system settings
  • computer name
  • user name
  • e-mail addresses

The worm sends the information via e-mail. The worm contains a list of (1) addresses.

Payload information

Win32/AutoRun.Autoit.BJ is a worm that terminates specific applications.


The worm terminates any program that creates a window containing any of the following strings in its name:

  • sex
  • porn
  • fuck
  • Anti-Virus
  • Anti Virus
  • AntiVirus
  • virus scan
  • Virus-Scan
  • processes
  • process
  • registry
  • Registry Editor
  • Command Prompt
  • System Configuration
  • System Information
  • www.sysinternals.com
  • Bkav200%variable%

The following programs are terminated:

  • ANTS.exe
  • ATCON.exe
  • ATUPDATER.exe
  • ATWATCH.exe
  • AUPDATE.exe
  • AUTODOWN.exe
  • AUTOTRACE.exe
  • AUTOUPDATE.exe
  • AVP.exe
  • AVP32.exe
  • AVPUPD.exe
  • AVWUPD32.exe
  • AVXQUAR.exe
  • Anti-Trojan.exe
  • Avconsol.exe
  • Avsynmgr.exe
  • CATEYE.EXE
  • CMGrdian.exe
  • EMLPROXY.EXE
  • GUARD.exe
  • HijackThis.exe
  • ICLOAD95.exe
  • ICLOADNT.exe
  • ICMON.exe
  • ICSSUPPNT.exe
  • ICSUPP95.exe
  • ICSUPPNT.exe
  • IEProt.exe
  • LUCOMSERVER.exe
  • MAILSVR.EXE
  • MCAGENT.EXE
  • MINILOG.exe
  • MOOLIVE.exe
  • NAVAPW32.exe
  • NMAIN.exe
  • NPROTECT.exe
  • NSCHED32.exe
  • NUPGRADE.exe
  • O2KCHECK.EXE
  • ONLNSVC.EXE
  • PcCtlCom.exe
  • PccGuide.exe
  • QHM32.EXE
  • QHONLINE.EXE
  • QHONSVC.EXE
  • QHSTRT32.EXE
  • RuLaunch.exe
  • SCANMSG.EXE
  • SCANWSCS.EXE
  • SpyLocked%variable%.exe
  • SpybotSD.exe
  • TeaTimer.exe
  • Tmntsrv.exe
  • TmpFw.exe
  • Tmproxy.exe
  • UPSCHD.EXE
  • VsStat.exe
  • Vshwin32.exe
  • apvxdwin.exe
  • aswUpdsv.exe
  • avgnt.exe
  • avguard.exe
  • avpcc.exe
  • avpm.exe
  • bdmcon.exe
  • bdoesrv.exe
  • bdss.exe
  • bdss.exe
  • blindman.exe
  • drwebupw.exe
  • game_y
  • iamapp.exe
  • iamserv.exe
  • mcupdate.exe
  • mmc.exe
  • regedit.exe
  • regedt32.exe
  • sched.exe
  • vsserv.exe
  • winlogon.exe
  • zatutor.exe
  • zonealarm.exe

The worm terminates processes with any of the following strings in the name:

  • ash
  • avg

The worm hides windows of running processes which contain any of the following strings in their title:

  • Outlook Send/Receive Progress

The worm affects the behavior of the following applications:

  • Task Manager Warning
  • Microsoft Outlook
  • Windows Live Mail

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "avg%variable%_cc"
    • "avgnt"
    • "QH Live Update Scheduler"
    • "QH Office 2K Check"
    • "Quick Heal e-mail Protection"
    • "Quick Heal Messenger"
    • "Quick Heal On-Line Protection"
    • "Quick Heal Startup Scan"
    • "Email Protection"
    • "Messenger"
    • "On-Line Protection"
    • "Startup Scan"
    • "Update Scheduler"
    • "SpyLocked%variable%"
    • "AVP"
    • "SpySweeper"
    • "pccguide.exe"
    • "avast!"
    • "BkavFw"
    • "ShStatEXE"
    • "McAfeeUpdaterUI"
    • "ccApp"
    • "ccRegVfy"
    • "ccApp"
    • "vptray"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SpybotSD TeaTimer"
    • "IEProtection"

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirScheduler]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AntiVirService]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­QHONLINE]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ScanWscS]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­PcCtlCom]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tmntsrv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­TmPfw]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­tmproxy]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Antivirus]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Mail Scanner]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­avast! Web Scanner]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­aswUpdSv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­AVP]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­McAfeeFramework]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­McShield]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­McTaskManager]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SBService]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ccEvtMgr]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ccPwdSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SavRoam]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Symantec AntiVirus]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­DefWatch]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SNDSrvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ccPwdSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ccSetMgr]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SPBBCSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­ProtectedStorage]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­ShellHWDetection]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­TIntSvr]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­upnphost]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­srservice]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­mnmsrvc]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­RDSessMgr]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­RemoteRegistry]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­NtmsSvc]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­TermService]
    • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­TermService]
    • "Start" = 2

A string with variable content is used instead of %variable% .

Other information

The worm may display the following messages:

  • Surf the internet somewhere else
  • This site is banned
  • Don't visit this site again or else
  • Say NO to pornography
  • Get a life. Stop watching porn
  • you are not permitted to view this site
  • Fuck yourself
  • You are not allowed to watch porn
  • Gotcha! Asshole
  • Uninstall any antivirus software that is installed in your computer to avoid reboot Do you want to uninstall any antivirus software now?
  • Hacker, gotcha!
  • Somos feos apestamoes ya peruing nameto joto muthafucka

The worm may execute the following commands:

  • cmd.exe /C RegSvr32 /S %system%\­avphost.dll
  • cmd.exe /C netsh firewall add allowedprogram program=%system%\­KHATRA.exe name=System
  • cmd.exe /C AT /delete /yes
  • cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %sysdir%\­KHATRA.exe

The worm may perform operating system restart.


It contains the following text:

  • # GOAL: To stop people from visiting porn sites in cybercafes. They can visit those sites in their home computers,or can watch porn in DVDs or in some other way.

Please enable Javascript to ensure correct displaying of this content and refresh this page.