Win32/AutoRun.Agent.ARE [Threat Name] go to Threat

Win32/AutoRun.Agent.ARE [Threat Variant Name]

Category worm
Size 77824 B
Detection created Jun 15, 2017
Detection database version 15590
Short description

Win32/AutoRun.Agent.ARE is a worm that spreads via shared folders and removable media. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­%variable1%.exe

The worm creates the following files:

  • %temp%\­bbzupd.exe
  • %temp%\­%variable2%.exe
  • %temp%\­%variable3%.vbs
  • %currentfolder%\­iplist.txt

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


A string with variable content is used instead of %variable1-3% .


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%appdata%\­%variable1%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
    • "ShowSuperHidden" = 0
    • "SuperHidden" = 1
  • [HKEY_CURRENT_USER\­Software\­bbzb]
    • "%variable2%" = 1

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Spreading via shared folders

The worm tries to copy itself into shared folders of machines on a local network.


The following filename is used:

  • %variable1%.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The following files may be dropped in the same folder:

  • %username% Secret Documents.lnk
  • %username% Secret Videos.lnk
  • Me and My Boss.lnk
  • %variable4%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1,4% .

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %variable1%.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The following files are dropped in the same folder:

  • %username% Secret Documents.lnk
  • %username% Secret Videos.lnk
  • Me and My Boss.lnk
  • %variable4%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1,4% .

Information stealing

The worm collects the following information:

  • operating system version
  • computer name
  • user name

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (7) URLs. The HTTP protocol is used in the communication.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • send gathered information

The worm may display the following message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.