Autorun malware used to be kind of a big deal around here. Worms that jump directly from removable media such as USB drives as soon as they are connected to a PC can cause some major trouble, spreading quickly through a network. Microsoft made a change to newer versions of Windows that disables the autorun functionality, cutting of this infection vector, but there are still a lot of older Windows XP systems out there that still have the function enabled. Researchers recently have seen a major increase in the volume of autorun malware in some countries, thanks to a couple of new worms infecting those older machines.
“These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload,” Konstantin Markov of Kaspersky Lab wrote in an analysis of the new worms.
The Java-based worm only spreads through the autorun functionality and comprises four individual components, each with different jobs. Once the worm is on a new PC, it extracts a DLL from its code and then copies itself to the temporary user folder. It also copies the Java executable from %ProgramFiles% to the same folder. The worm then spawns a process and injects a library into it that enables it to spread to available network shares.
“As well as these quirks, this worm also uses strong obfuscation. Here a packer is used in conjunction with Zelix KlassMaster obfuscation. Also, as mentioned above, the worm is polymorphic. This makes it more difficult for antivirus solutions to detect,” Markov said.
“The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software,” Markov said. “Like Worm.Java.AutoRun, this sample is well-encrypted and can change its form in different infections.”
Both worms are mainly spreading in Southeast Asia right now.
Image from the Flickr photostream of LadyDragonflyCC.