Security News

Another AutoIt compiled Worm enters the Malware scene (February 14, 2014)

By

The Dell Sonicwall Threats Research Team received reports of an AutoIt Script compiled Worm that gathers sensitive information from the victim machine and transmits it to a remote server via FTP. The stolen information may include browsing history, device hardware profile, ARP table, network configuration and periodically taken screen captures.

AutoIt is a popular scripting language for Windows that has been around for more than two decades. Ease-of-use is one of the main reasons for its popularity among developers, the same reason has attracted Malware writers to use this language more and more over the past few years. We have seen a rise in trend of AutoIt compiled Malware over the past few years and this trend is not likely to drop in the foreseeable future.

Infection Cycle

The Worm drops a copy of itself at the following location:

  • %Administrator%Start MenuProgramsStartUpLoveU.exe [Copy of itself]

It creates the following process to disable system firewall

  • C:Windowssystem32cmd.exe /c netsh firewall set opmode mode=disable

It shows the following message box which disappears after few moments

The Worm then starts gathering information about the system and stores this information locally. The Following table shows the commands and corresponding files that save the relevant information:

Additional information about the victim’s machine is saved as follows:

The Worm then opens a FTP connection to koko[xxxxxx].com and sends this information to the server. Once sent, it deletes these files from the system.

The Worm has the following additional capabilities:

  • Scan for available removable drives and drops the malicious files onto them to spread further

  • Capture screenshot of the system

  • Send Mail from the system

Overall the main motive of this Worm is to gather information about the victim system and send it over to the attacker. We will continue to monitor this threat to see if further additions are made to increase its arsenal of capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Fucom.A (Worm)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage for December 2020
Sonicwall RTDMI engine discovers malicious MS Office file containing Java RAT in the wild
Obama Speech Trojan (Nov 5, 2008)
Novel Malicious code evasion method for AI/ML based detection
AndroidBot malware with obfuscation and multiple capabilities spreading in the wild
Cybersecurity News & Trends - 03-26-21
AgentTesla Updates Its Infection Chain
CrushFTP Server-Side Template Injection (SSTI)