McAfee Labs Combating Threats - W32/Autorun.worm

Symptoms

W32/Autorun.worm trojans are a family of Trojans that use the “Autorun“ feature of Microsoft’s Windows platforms to spread as a worm.

Presence of unknown autorun.inf files in the root of removable, fixed and network drives or shares.

Disabled features in Microsoft’s Windows explorer or operating systems.

Unknown folder names appearing with an .exe extension.

Slowdown of the PC.

Infection Methods

Most W32/Autorun.worm outbreaks are the result of lax security restrictions on network drives and shares.

The worm copies itself to the root of all available network drives, subsequent users visiting the same location will Autorun the worm and thus continue to spread the infection to other network resources.

The other predominant infection method is via USB pen drives. This is typically how such an infection is brought into an organization.

We have seen W32/Autorun.worms installed as part of drive by installs when visiting malicious or compromised websites.

Protection Methods

W32/Autorun.worms are relatively straight forward to deal with, in comparison to say a polymorphic file infector.

In order to control a machine the malware requires registry access. Users running as users, do not have write access to the registry.

For the majority of these worms the filenames remain constant. They rely on resources being readily available for them to copy themselves too.

They always create an Autorun.inf file in the root of available resources and copy themselves to the system32 folder.

In VSE 8.5i there is a readily created Autorun.inf protection rule that can be enabled to stop the creation of Autorun.inf files.

Network resources, especially root folders should be flagged as read only. Creation of executable files on network resources should be blocked.

Creation of an Autorun.inf named folder in the root of each network folder is often enough to stop the spread of the worm.

Once the name of the executable file is known an Access Protection rule can be created to stop the creation, execution or access too such file names. The name can be found by opening the Autorun.inf file in a text editor like notepad.exe.

Typical Autorun.inf

[Autorun] action= Free Tibet icon=driver.exe,1 open=driver.exe

shell=back shell\back\command=driver.exe shell\back=Tibet Permanently Disabling the Autorun feature NoDriveTypeAutoRun

This registry value can be tweaked to disable autoplay. Location of this value is

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502 .mspx?mfr=true

This measure has got its limitations. Most of the worms check for this value and modifies it.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDriveTypeAutoRun"

Old type: REG_DWORD

New type: REG_DWORD

Old data: 91, 00, 00, 00

New data: FF, 00, 00, 00

Windows Hack to disable autorun.inf files

This hack will instruct Windows to treat autorun.inf files as if it was a pre Windows 95 application.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

@="@SYS:DoesNotExist"

Copy these lines in a notepad and save it as a .REG file. Merge this file. This will instruct windows not to use values from the INF file, but to use values from HKLM\SOFTWARE\DoesNotExist and since this key does not exist so the INF file does not run.

The only downside of this is that if you insert a CD with software on it, you have to explore it by hand to find the setup program.

Anatomy of an W32/Autorun.worm

A W32/Autorun worm is usually comprised of an executable script (most often AutoIT scripts). The script when executed makes a series of registry changes to secure the machine from investigation and cleaning.

Typically disabling the command prompt (CMD.EXE), the registry editor (REGEDIT.EXE) and by disabling folder options for things like hidden files.

Typically the worm hooks the system by replacing explorer.exe as the default open shell for local drives, adds itself to the run keys, sometimes using image file options, another favorite is to add itself as the mountpoint for local drives. .

The worm then proceeds to copy itself and its AUTORUN.INF file to various locations, either local, removable or network resources.

Most of this is achieved via registry manipulation, some typical registry entries are list below. Typically a W32/Autorun.worm will add 50-100 registry changes…

HKEY_CURRENT_USER, "Software\\Microsoft\\Internet Explorer\\Main", "Window Title"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{b50e73c3-6c25- 11d8-802a-806d6172696f}"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{257f90ea-5714- 11dc-b5ea-001111bc05ec}"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{1b5fc626-9822- 11dc-8355-806d6172696f}"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "HideClock"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableTaskMgr"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableRegistryTools"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoFind"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoFolderOptions"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoRun"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoRun"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoViewContextMenu"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoShellSearchButton"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoTrayItemsDisplay"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoSetFolders"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "HideFileExt"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "Hidden"

HKEY_CURRENT_USER, "Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableRegedit"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer", "NoDriveTypeAutoRun"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoFolderOptions"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Workgroupcrawler\\Shares", "shared"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "DisallowRun"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "DisallowRun"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "ShowSuperHidden"

HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "SuperHidden"

HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\SafeBootAlternate" , "AlternateShell"

HKEY_LOCAL_MACHINE, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*", filename

Autorun.inf file is infected

There seems to be a lot of confusion with regards to auturun.inf files and questions around whether they are malicious.

An autorun.inf file is not malicious, it is simply an enabler designed to execute an specific piece of code. The Autorun.inf file does not contain malicious code, it can’t replicate, it can’t do anything other than spawn a process. It can be used to spawn a malicious process. Providing we have a sample of this malicious process we will also add detection for the associated Autorun.inf file. If you intend to submit an Autorun.inf file for detection, please also submit the associated malicious process, even if already detected.

This means the researcher can match the two pieces together and add detection for both. There are particular instances when we will not add detection for an Autorun.inf file. If the Autorun.inf calls well known names like setup.exe, install.exe, update.exe then we will not add detection, as these will false on many legitimate Autorun.inf files.

Autorun variants

This specific article focuses on the predominant W32/Autorun.worm, which are typically AutoIT scripts, however there are several variant families like VBS/Autorun.worm that use VBS scripts rather than Microsoft windows executables. There are HTM variants and also variants written in other high level languages like VB and Delphi.

We have also seen different worm behavior, similar to that of W32/Yahlovers, whereby the worm will drop copies of itself into network folders using a standard windows folder icon (yellow/gold folder) and use an existing folder name but also have an .exe extension.

This is to fool a user into clicking on the wrong “folder” and thus infecting their system.

Detection/Clean loops

When facing something like an W32/Autorun.worm infection, it is very important to take a methodical approach to cleaning. Simply cleaning infections as they popup will result in wasted time and effort as previously cleaned machines become once again infected.

Any network resource that can be written too needs to be cleaned and locked down or protected with an AV scanner with an updated signature. Failing to do so will result in workstations that are connecting to that resource becoming re- infected time after time, effectively you’ll end up “chasing your tail”.

Creation of Autorun.inf named folders in the root of network resources may protect against future W32/Autorun.worm infections. Using VSE 8.5i Access Protection rules to block the creation of AUTORUN.INF files will stop future infections.

Careful network resource management will stop the spread of W32/Autorun.worms. Root folders without write access. Users not being able to create EXE, VBS or HTML files on network resources.

Having an installed user base with only user privileges on their workstations will also defeat all known W32/Autorun.worms to date.

Disabling the “Autorun” feature either via registry of via the hacked method will stop the worm from automatically spreading.

Making sure workstations and network servers are always up-to date with the latest AV signatures and OAS is enabled.

Disabling access to USB devices via something like SafeBoot.

Scanning web traffic via something like a McAfee EWS appliance should stop drive by installs of know W32/Autorun.worms.