Monday, June 10, 2013

How the USB AutoRun virus works

If you have been frustrated by this one, you might also be interested in how it works so I'm sharing it here...



This file virus is a Windows PE EXE file. The file is 380 416 bytes in size. It is written in Delphi.

When launched, the virus copies its executable file as follows:

%System%\config\csrss.exe
%WinDir%\media\arona.exe

It also creates the following file:

%System%\logon.bat

When this file is run, it will launch a copy of the virus:

%System%\config\csrss.exe

In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"

The virus also creates the following files:

%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf

These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.

Payload

The virus modifies values of the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 1

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

NoFolderOptions = 1

It also searches the hard disk partitions listed below for files with an ".mp3" extension:

d:\
c:\
e:\
f:\
g:\
h:\

These files will then be deleted.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.