Another AutoIt compiled Worm enters the Malware scene (February 14, 2014)


The Dell Sonicwall Threats Research Team received reports of an AutoIt Script compiled Worm that gathers sensitive information from the victim machine and transmits it to a remote server via FTP. The stolen information may include browsing history, device hardware profile, ARP table, network configuration and periodically taken screen captures.

AutoIt is a popular scripting language for Windows that has been around for more than two decades. Ease-of-use is one of the main reasons for its popularity among developers, the same reason has attracted Malware writers to use this language more and more over the past few years. We have seen a rise in trend of AutoIt compiled Malware over the past few years and this trend is not likely to drop in the foreseeable future.

Infection Cycle

The Worm drops a copy of itself at the following location:

  • %Administrator%Start MenuProgramsStartUpLoveU.exe [Copy of itself]

It creates the following process to disable system firewall

  • C:Windowssystem32cmd.exe /c netsh firewall set opmode mode=disable

It shows the following message box which disappears after few moments

The Worm then starts gathering information about the system and stores this information locally. The Following table shows the commands and corresponding files that save the relevant information:

Additional information about the victim’s machine is saved as follows:

The Worm then opens a FTP connection to koko[xxxxxx].com and sends this information to the server. Once sent, it deletes these files from the system.

The Worm has the following additional capabilities:

  • Scan for available removable drives and drops the malicious files onto them to spread further

  • Capture screenshot of the system

  • Send Mail from the system

Overall the main motive of this Worm is to gather information about the victim system and send it over to the attacker. We will continue to monitor this threat to see if further additions are made to increase its arsenal of capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Fucom.A (Worm)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.