Made in the Czech Republic: a PHP Autorun worm

By Robert Lipovsky posted 3 Nov 2011 at 07:21AM

Installation and Spread

Firstly, we classify it as a worm, as it contains methods for spreading itself. In order to replicate through removable media and modify the infected system to ensure persistence, i.e. that it gets relaunched subsequently, the worm copies its body to the following locations:

The root directory of all mounted volumes, except A: and B:. If the drive size is less than ~32GB, the autorun.inf file is also dropped in the hope of exploiting the (at last!) deprecated AutoRun feature of Windows.

The Documents, Desktop, Start Menu, Start MenuPrograms and Start MenuProgramsStartup folders for each user on the system and to the All Users Start MenuPrograms folder. Note that the worm can only copy itself to folders belonging to other users if the worm is run by an administrator account. Also, due to the change of folder naming from Windows Vista onwards, the worm is only able to copy itself to some of the listed folders on earlier Windows systems (such as XP) if it’s a Czech version of the OS.

For each of the above mentioned locations, the worm randomly chooses one of the following innocuous-looking file names:

setup.exe
install.exe
fotky.exe
majkl_dzeksn.exe
barunka.exe
martinka.exe

Harvesting data

The purpose of the worm is to collect a large set of sensitive user data and system information, including:

Messages and other information from various IM clients (such as QIP, ICQ, Digsby)
Saved passwords and other information from various browsers (such as IE, Mozilla Firefox, Opera, Chrome)
Saved passwords from common email clients (such as Outlook, Windows Mail, Yahoo! Mail or Gmail)
Emails and other information from various email clients (such as Outlook, Outlook Express, Mozilla Thunderbird)
Total Commander FTP passwords
Stored Windows credentials
Windows Address Book contacts
Windows User account properties (excluding password)
Network addresses, open connections, tables and statistics
List of running processes and services
Environment variables
List of all user files and directories
List of recently opened documents
Contents of the Registry
MS Windows and MS Office Product Keys

The list of types of data that the worm harvests from the infected machine is quite long, and they are all gathered using various unsophisticated methods. In order to collect most of the data associated with Instant Messaging applications, browsers, and so on, the worm simply uploads all the files from the installation folders of the respective applications. For information related to Windows user accounts, network connections, running processes, and the Windows Registry, the following shell commands are used:

net user
ipconfig
netstat
arp
tasklist
regedit

Another method employed for collecting the victim’s data is the use of third-party password-extraction utilities by NirSoft. The worm’s binary drops and executes four of these tools and sends their output back to the attacker.

The worm uses a simple mechanism for sending the collected data to the remote server. It sends many HTTP POST requests (port 80) containing the stolen data gz-compressed and Base64 encoded.

As you can see from the description above, the worm lacks the sophistication of some of the more advanced malware that we sometimes see. Yet, unfortunately, even these simple threats often get the job done.

Given the very low prevalence of this malware, the fact that at the time of this writing 100% of the detections came from the Czech Republic, and its apparent Czech origin, there is a possibility that this tool was used in a targeted attack on a specific victim. Or it may just have been an experiment by an amateur malware-writer. Or both.

ESET detects this worm as Win32/AutoRun.PSW.Agent.E. The malware analysis was done by Jakub Horký.

Robert Lipovsky

Malware Researcher