Researchers Uncover Polymorphic AutoRun Worm

W32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of  obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee.Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6.

Autorun wormW32/Autorun.worm.aaeb-h is an evolved, virtual machine-aware AutoRun worm that makes use of  obfuscation and polymorphic techniques in order to evade detection and infect removable media and mounted network shares, according to McAfee.

Researchers have seen an increase in samples for the year-old malware family, which is compiled in Visual Basic 6. This family of malware generally compromises machines through drive-by downloads or spam and ends up looking like any other thumb-drive infecting, AutoRun worm. W32/Autorun.worm.aaeb-h is the most complicated virus among known members of this family.Its authors have upped their game with this latest version by encrypting all the important strings with one or in some cases two rounds through the RC4 cipher algorithm using a randomly generated encryption key. McAfee’s Sanchit Karve notes that earlier variants stored much of their code in plain-text.

The initial infection requires that users either willingly execute the malicious file directly or navigate to a folder storing the files. Once a machine is compromised, the malware writes an “autorun.inf” file so that it can automatically execute itself on any machines with AutoRun enabled as the worm spreads. Researchers have also observed the malware copying itself to Zip and RAR archive files and downloading new software from its command and control server.

The worm is also changing relevant directories so that they appear hidden in affected drives. Beyond that the worm is copying itself as that hidden directory file but also as “secret.exe,” “sexy.exe,” “porn.exe,” and “passwords.exe” among other apparently-alluring-things in what McAfee claims is an attempt to trick new users into running the malicious executables.

Whoever is responsible for this worm is packaging it with VB6 projects in order to make it seem like legitimate software. Most of the payload files themselves are originating from the Zbot and BackDoor malware families. You can find a more in depth analysis of this threat here on the McAfee Labs Blog.

Suggested articles