New mass-mailing worm seen in the wild (Sep 10, 2010)


SonicWALL UTM Research team observed a new variant of Autorun worm spreading in the wild. The worm spreads through e-mails, removable storage and network shares. The e-mail campaigns contains a link which points to the Autorun worm. The email looks like below:

Link to PDF file [Mass-mailing worm]

Subject: Here you have

Email Body:


This is The Document I told you about,you can find it Here.http://www.{removed}/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.


Link to WMV file [Adult Spam]

Subject: Just for you

Email Body:


This is The Free Dowload Sex Movies,you can find it Here.


Enjoy Your Time.


Sample e-mails message looks like this:



If the user download and opens the file then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to and downloads multiple files. The malicious account hosting these files was disabled by Lycos UK.

  • File Activity:

    It creates the following files

    • C:autorun.inf
    • C:open.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • C:{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%autorun.inf
    • %windir%autorun2.inf
    • %windir%csrss.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%ff.exe – Detected as GAV: Pass.A_2 (Hacktool)
    • %windir%gc.exe – Detected as GAV: NetPass.FX (Hacktool)
    • %windir%ie.exe – Detected as GAV: IEPassView.G (Hacktool)
    • %windir%im.exe – Detected as GAV: Messen.HX (Hacktool)
    • %windir%op.exe – Detected as GAV: PassView.A (Hacktool)
    • %windir%pspv.exe – Detected as GAV: PSPassView.A (Hacktool)
    • %windir%rd.exe – Detected as GAV: IEPassView.G (Hacktool)
    • %windir%re.exe – Detected as GAV: PSExec.D (Hacktool)
    • %windir%{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%tryme1.exe
    • %windir%vb.vbs – Detected as GAV: VBS.TRZ (Trojan)
    • %windir%system{Logged on User} CV 2010.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%systemupdate.exe (copy of itself) – Detected as GAV: AutoRun.ICO (Worm)
    • %windir%system32SendEmail.dll – Detected as GAV: Sendmail.MOK (Hacktool)

    It replaces the following files

    • %windir%system32driversetchosts

    It deletes the following files

    • All .exe files on the desktop

  • Process Acitivty:

    It creates the following process in memory

    • %windir%csrss.exe
  • Registry Activity:
    • It adds HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell:”Explorer.exe C:WINDOWScsrss.exe” to ensure infection on reboot
    • It disables Windows Security Center Service by deleteing HKLMSYSTEMCurrentControlSetServiceswscsvc:Start
    • It disables Windows AutoUpdate Service by deleteing HKLMSYSTEMCurrentControlSetServiceswuauserv:Start
    • It creates multiple registry entries that intercept execution calls to processes.
      It adds the value “C:WINDOWScsrss.exe” to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options{process}Debugger
  • Propagation:
    • It mass emails itself using the email campaigns seen above
    • It copied itself on to removable storage media as open.exe and replaces autorun.inf to launch itself
    •     screenshot

    • It copies itself on to the following locations using the vb.vbs script created
  • Harvesting Credentials:
    • It download multiple password harvesting tools and harvests user credentials

SonicWALL Gateway AntiVirus provides protection against this Autorun worm variant with the following signatures
GAV: AutoRun.ICO (Worm)
GAV: IEPassView.G (Hacktool)
GAV: NetPass.FX (Hacktool)
GAV: PassView.A (Hacktool)
GAV: Pass.A_2 (Hacktool)
GAV: Messen.HX (Hacktool)
GAV: PSPassView.A (Hacktool)
GAV: PsExec.D (Hacktool)
GAV: Sendmail.MOK (Hacktool)
GAV: VBS.TRZ (Trojan)

screenshot screenshot screenshot screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.