Recently we have seen a spike in a Visual Basic 6-compiled AutoRun worm family. The family is both client- and server-side polymorphic. (For more on this family, refer to our VIL and Advisory entries.)

The W32/Autorun.worm.aaeh family usually gets on a victim’s machine through email spam, Blacole drive-by downloads, or downloads by BackDoor-FJW. From a behavioral perspective, it looks like any other thumb-drive infecting worm. It adds an autorun.inf file on all removable drives and network shares, has an icon resembling a folder icon to trick people into double-clicking it, and infects ZIP and RAR archives. What separates this worm from the rest, however, is the level of obfuscation and polymorphism that it employs.

This family is known to package itself with open-source VB6 projects taken from repositories on the web as an obfuscation mechanism. It appears that the author achieves this by downloading an existing VB6 project with GUI components (forms, user-defined controls, etc.), including the malicious code inside the project and switching the Startup Object as “Sub Main” so that only the malware gets control–instead of the original project’s event handlers. This is possibly an attempt to pose as legitimate software. However, the compiled binaries typically never contain clearly visible strings required by the malware, and are instead encrypted with the RC4 algorithm using a randomly generated encryption key. The files may also be either p-code compiled or native VB6 compiled. The code is obfuscated and they developers appear to have used an automated code scrambler for the binary generation. The generated code uses junk API calls and string functions to further complicate any analysis (described below).

Internals

This threat has been around for more than a year and has evolved. I should note that the earliest samples from this family weren’t nearly as complex as they are today. Some of the oldest samples didn’t encrypt all the strings (MD5:A858514E09637B9B84FD207CED38657B), but the authors have evolved their software (MD5:65CCF15E6224444AAC1141BA210A35C2) by encrypting everything important with a single round of RC4 encryption. Some new variants use an additional round of RC4 (MD5:DCEF805C893A0515C7A0BA117F13CDC3).

When this family first executes, it performs the following operations:
(Boldface items apply only to the new variants that use two rounds of RC4.)

• Checks if only one instance of the application is running, else quits
• Opens itself with File Read permission
• Searches for its encrypted data, which later decrypts to its strings. It needs to obtain a key for decryption. The key is built from two subkeys.
• Key1 is obtained from the application title
• Key2 is a hardcoded ASCII byte key
• Performs RC4 decryption over encrypted data using key2 (Layer 1 Decryption)
• Performs RC4 decryption over encrypted data using using key1 (Layer 2 Decryption)
• Splits strings based on vbCrLf as decrypted strings appear as one large string delimited by vbCrLf
• Performs malicious activity and refers to decrypted strings for API functions, DLLs, filenames, URLs, and other information.

Aside from having the code compiled in native mode and p-code to generate separate binaries that display identical behavior, the author uses various techniques.

Unnecessary Strings

The following image shows strings in clear text that have no relevance to the malware.

Random VB6 Library Function Calls

The next image shows various VB6 function calls that have no relevance to the malware.

Polymorphism

Besides using the usual tricks, such as register swaps and code merging, this family is capable of using different sets of instructions to implement the same feature. For example, some samples may use polymorphic code for performing RC4, as shown below:

The same routine also appears in other samples using floating-point instructions:

Next we see a dump of the decrypted strings:

From the strings we can see that this threat is VM-aware and capable of infecting RAR and ZIP files. The numbers (1, 2, 3, 14, 63) are used to randomly generate domain names based on table lookups, etc.

The worm can download other prevalent families, such as ZBot, and it’s clear that the payload families use the worm’s spreading mechanism as a propagation vector.

What Can You Do?

This family hasn’t shown signs of fading away (more than a million files on VirusTotal belong to this family), but with a few simple steps, you can avoid getting infected by this annoying worm.

• Don’t click links in spam emails that promise free stuff or suggest new ways to make a quick buck. Don’t execute software that arrives via spam.
• Disable the AutoRun feature on Windows
• Refrain from opening files named “secret,” “sexy,” “porn,” or “passwords” from unknown sources
• Don’t open any executable file with a shady application name (visible through a tool tip when you hover your mouse near a file or by right-clicking the file and selecting properties)
• Don’t open any executable file that looks like a folder icon with blurred edges
• Read our Threat Advisory for more information

McAfee products detect this family as W32/Autorun.worm.aaeh and W32/Autorun.worm.aaeh!gen.

Don’t forget to sign up for our Notification Services, which are available via email or apps on your mobile device.

Almost exactly one year ago, Google announced the addition of a “new layer to Android security,” a service codenamed Bouncer that was intended to provide automated scanning of the Android Market for potentially malicious software. However, as my colleague Jimmy Shah wrote in a previous blog post, Bouncer has not been enough to keep all the malware out of the market: We saw Android malware (for example, Android/DougaLeaker) distributed in the Google Play Market in 2012. Recently, two malicious applications from the developer Smart.Apps were found using the same official distribution method:

Both applications present themselves as “optimizers” that make Android devices faster and more responsive by cleaning the browser cache, optimizing network settings, clearing unused log files, and so on. When the applications are executed, they display fake user interfaces:

In the case of DroidCleaner, the graphical user interface is more elaborate; the application displays three different cleaning options that lead to the same fake progress bar:

Meanwhile, in the background and without user consent, a service establishes a communication with a control server. The commands include common actions performed by other Android malware:

• Sending device and network information (IMEI, IMSI, phone number) to a remote server
• Sending and deleting SMS messages (could be used to subscribe the user to premium-rate services)
• Stealing sensitive personal information (installed applications, pictures, contacts, SMS messages, GPS coordinates)
• Mapping the contents of the SD card (files and directories) to later upload to the remote server

Other less common functions are also implemented as available commands:

• Executing shell commands remotely
• Rebooting the device using the command “reboot” on rooted devices
• Launching another application installed in the device without user consent
• Setting call forwarding and changing the ringer mode to silent so the user is not aware that calls are being redirected to another number

One of the most interesting commands in this new Android malware is UsbAutorunAttack, which consists of downloading three files (autorun.inf, folder.ico, and svchost.exe) from a remote server to place in the SD card and infect Windows computers that have the AutoRun feature enabled. This new distribution method may not be as effective because the latest version of Windows has AutoRun disabled by default; yet it is interesting to see Android malware trying to infect Windows computers.

Another interesting command in this threat is CallOut, which aims to initiate the dialer’s pad with a specific phone number. The implementation of this command reminds me of the “Dirty USSD” vulnerability, discovered last year, because this one uses the protocol “tel:,” which can be used with a special USSD code to wipe an Android device. Although we haven’t seen this attack in the wild and the issue has already been fixed for most devices with an OTA software update, due to the fragmentation problem of Android it is possible that your device doesn’t have the latest version of the operating system. To find out if your device is vulnerable, McAfee offers a test page that performs a test with nonmalicious code. If your device is vulnerable, you can download and install the McAfee Dialer Protection app from Google Play.

This threat also executes phishing attacks aimed to steal Android (Google) and Dropbox credentials by showing the following user interface to the user when the commands creds_attack and creds_dropbox are sent by the control server:

Once the user enters the information and taps “Login,” the stolen credentials are sent to the remote server while the message “Wrong credentials” is displayed.

McAfee Mobile Security detects this mobile threat as Android/Ssucl.A. The Windows threat is detected by McAfee VirusScan/Total Protection as Generic Dropper.p.

Malicious worms are found infecting customers through-out the year. They keep evolving to evade the Anti Virus detections. They add junk codes or come up with new custom packer, yet achieve their full functionality and reward their developers.

We have seen earlier how different types of malware use chat windows to download and spread across victims here and here.

This worm spreads by copying itself to removable drives and writeable network shares,and by modifying system settings. It can also send out messages via instant messaging client messages.

Spreading technique:

Payload

A file by the name Setting.ini is dropped into Windows system folder. It then tries to download other files from any URL specified randomly and once downloaded they are then executed.

What looked interesting to us was that some messages send by this worm actually had some Indian celebrities’ names like Aishwarya Rai,Nayanthara and Simbufollowed by a link.

The URLs are actually retrieved from setting.ini randomly.URLs point to a remote server which host a copy of worm. The following are few messages seen:

• ·         “Aishwarya Rai videos ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “stream Video of Nayanthara and Simbu ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• “Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “cyber cafe scandal visit ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “World Business news broadcaster ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “Nfs carbon download ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• ·         “Free mobile games ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”
• “Nse going to crash for more ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <url>”

From the look at the list of messages in setting.ini, we suspect this variant of worm was targeted against Indian computer users.

In case if the worm fails to read the content of setting.ini, it send one of the following messages (in Vietnamese) with the URL pointing to remote server hosting the worm.

• E may, vao day coi co con nho nay ngon lam
• Vao day nghe bai nay di ban
• Biet tin gi chua, vao day coi di
• Trang Web nay coi cung hay, vao coi thu di
• Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
• Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
• Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
• Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
• Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…

The worm also has the ability to enumerate through various applications running in the victim’s machine and terminating if the following were found:

• “Registry”
• “System Configuration”
• “Windows mask”
• “Bkav2006″
• “Trung tƒm An ninh m?ng Bkis”
• “FireLion”

The following system changes can be looked out for checking the presence of this worm:

• The presence of the following files:
  <system folder>/regsvr.exe
  <system folder>/svchost .exe
  %windir%/regsvr.exe
  New Folder.exe (with a folder icon)

The dropped files are all sample copies with Folder icon.

• Taksmgr.exe and Regedit.exe are disabled.
• AT1.job is created to ensure that the worm gets executed everyday at 9:00 AM.

• The presence of the following registry modifications:
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  “Shell” = “explorer.exe regsvr.exe”HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  “Msn Messsenger” = “<system folder>\regsvr.exe”

We advise our customers to pay extra caution when they plug in their USB sticks and keep their DATS updated.

McAfee detects this worm as W32/Autorun.g.

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

• Microsoft: Worm:Win32/Vobfus.MD
• McAfee: W32/Autorun.worm.aaeh
• Trend Micro: WORM_VOBFUS
• Sophos: W32/VBNA-X
• Kaspersky: Worm.Win32.VBNA.b
• ESET-NOD32: Win32/VBObfus.GH

While our naming conventions may be different, a worm by any other name is still a worm. And this worm in particular has not let up. Our recent data indicates W32.Changeup continues to have an impact.

Over a six day span, Security Response has observed a large increase in the number of detections for W32.Changeup.

We continue to update and add detections for this threat as we encounter new variants. Customers are advised to make sure their virus and intrusion prevention definitions are up to date.

Antivirus

• W32.Changeup!gen22
• W32.Changeup!gen23
• W32.Changeup!gen24
• W32.Changeup!gen25

Intrusion Prevention System

• System Infected: W32.Changeup Worm Activity

Since this worm spreads by leveraging the AutoRun feature in Windows, we also recommend that customers take proactive measures to prevent this feature from being abused.

Here’s some good news in the ongoing fight against Windows-based malware – it appears that there has been a significant drop in the number of computers being infected by malware which exploits the Windows Autorun feature.

Autorun is the technology which makes a program start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the tell-tale Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

Autorun may sound like it’s great for functionality, but a large amount of malware (the most notorious example would probably be the Conficker worm) has exploited the technology to infect computers via USB sticks in the past.

Earlier this year, Microsoft rolled out an update, effectively preventing Autorun malware from automatically infecting PCs without the user’s permission.

And the good news is that it appears to have worked.

According to research done by Microsoft, by May 2011 the number of infections found on scanned computers had reduced by 59% on XP and by 74% on Vista in comparison to the 2010.

Of course, disabling Autorun doesn’t mean the 100% eradication of all Autorun malware – as some examples use a variety of alternative techniques to spread beyond using the Autorun functionality.

Well done to Microsoft for removing most of the weeds from that particular corner of the malware garden.