W32/Autoit-BP

Category: Viruses and Spyware Protection available since:05 Sep 2011 15:33:27 (GMT)
Type: Win32 worm Last Updated:05 Sep 2011 15:33:27 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Summary

W32/Autoit-BP is a worm for the Windows platform.

Detailed analysis

Example behaviours of W32/Autoit-BP follow:

Example 1

Other vendor detection

Avira
TR/Autoit.mjc
Kaspersky
IM-Worm.Win32.Sohanad.gen
Trend
WORM_UTOTI.RHB

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\support.exe
  • C:\KHATRA.exe
  • C:\WINDOWS\KHATARNAKH.exe
  • C:\WINDOWS\Xplorer.exe
  • C:\WINDOWS\system32\KHATRA.exe
  • C:\WINDOWS\system\gHost.exe
  • F:/KHATRA.exe
  • F:/New Folder(3).exe
  • F:/support.exe
Dropped Files
  • C:\WINDOWS\new-screamsaver.com.cab
  • C:\WINDOWS\inf\Autoplay.inF
  • C:\WINDOWS\New WinRAR archive.cab
  • C:\WINDOWS\mario675.cab
  • C:\WINDOWS\fh_antivirussetup6534.cab
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_desktop.ini.FUCKED
  • C:\WINDOWS\kavSetupEng3857.cab
  • F:/AUTORUN.inF
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
  • C:\WINDOWS\Youtube.cab
  • C:\WINDOWS\New WinZip File.cab
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_support_Start Menu_Programs_Startup_desktop.ini.FUCKED
Registry Keys Created
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoControlPanel
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
    FileTracingMask
    0xffff0000
  • HKCU\Software\Nico Mak Computing\WinZip\caution
    NoUnsafeTypeCautionForEXE
    1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    G_Host
    "C:\WINDOWS\System\gHost.exe" /Reproduce
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
    BitNames
    Error Unusual Info Debug
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Taskman
    C:\WINDOWS\system32\KHATRA.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    AtTaskMaxHours
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
    ControlFlags
    0x00000001
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Window Title
    Internet Exploiter
  • HKLM\SOFTWARE\KHATRA\Startup_List
    sfw_start
    sc start "Sophos Client Firewall"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Xplorer
    "C:\WINDOWS\Xplorer.exe" /Windows
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
    0x000000ff
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    C:\WINDOWS\system32\KHATRA.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\srservice
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\upnphost
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage
    Start
    0x00000004
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    Start
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    VMware Tools
    C:\WINDOWS\system32\KHATRA.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\TermService
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
    Start
    0x00000002
Processes Created
  • c:\windows\system32\at.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\khatra.exe
  • c:\windows\system32\makecab.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\regsvr32.exe
  • c:\windows\system\ghost.exe
  • c:\windows\xplorer.exe

Example 2

Other vendor detection

Avira
TR/Dropper.Gen
Kaspersky
Trojan.Win32.Agent.crfy
Trend
TROJ_AGENT.AVEN

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\support.exe
  • C:\Documents and Settings\support\My Documents\My Music.exe
  • C:\Documents and Settings\support\My Documents\My Music\My Music.exe
  • C:\Documents and Settings\support\My Documents\My Pictures.exe
  • C:\Documents and Settings\support\My Documents\My Pictures\My Pictures.exe
  • C:\KHATRA.exe
  • C:\WINDOWS\KHATARNAKH.exe
  • C:\WINDOWS\Xplorer.exe
  • C:\WINDOWS\system32\KHATRA.exe
  • C:\WINDOWS\system\gHost.exe
  • F:/KHATRA.exe
  • F:/New Folder(3).exe
  • F:/support.exe
Dropped Files
  • C:\WINDOWS\New WinZip File.cab
  • C:\WINDOWS\New WinRAR archive.cab
  • C:\WINDOWS\new-screamsaver.com.cab
  • F:/AUTORUN.inF
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_desktop.ini.FUCKED
  • C:\WINDOWS\fh_antivirussetup6534.cab
  • C:\WINDOWS\mario675.cab
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_support_Start Menu_Programs_Startup_desktop.ini.FUCKED
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
  • C:\WINDOWS\inf\Autoplay.inF
  • C:\WINDOWS\system32\avphost.dll
Registry Keys Created
  • HKCR\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\TypeLib
    (Default)
    {FF14B02B-6EE4-400F-A729-B0EA35F921C2}
  • HKCR\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}
    (Default)
    FastSender Class
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    AtTaskMaxHours
    0x00000000
  • HKCR\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\InprocServer32
    (Default)
    C:\WINDOWS\system32\avphost.dll
  • HKCR\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}\ProxyStubClsid32
    (Default)
    {00020424-0000-0000-C000-000000000046}
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoControlPanel
    0x00000001
  • HKCR\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\VersionIndependentProgID
    (Default)
    AOSMTP.Mail
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
    LogSessionName
    stdout
  • HKLM\SOFTWARE\KHATRA\Startup_List
    VMware User Process
    C:\Program Files\VMware\VMware Tools\VMwareUser.exe
  • HKCR\AOSMTP.FastSender\CLSID
    (Default)
    {69620165-77DD-44EE-995C-3632E525A22B}
  • HKCR\Interface\{6D2C09C4-EC95-4251-81FD-1CD01FD8AE44}
    (Default)
    IMail
  • HKCR\CLSID\{F8D07B72-B4B4-46A0-ACC0-C771D4614B82}\TypeLib
    (Default)
    {FF14B02B-6EE4-400F-A729-B0EA35F921C2}
  • HKCR\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}
    (Default)
    IFastSender
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    0x00000001
  • HKCR\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0
    (Default)
    AOSMTP COMPONENT BUILD V8.0
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Window Title
    Internet Exploiter
  • HKCR\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\FLAGS
    (Default)
    0
  • HKCR\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}
    (Default)
    _IFastSenderEvents
  • HKCR\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\VersionIndependentProgID
    (Default)
    AOSMTP.FastSender
  • HKCR\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\TypeLib
    Version
    1.0
  • HKCU\Software\Nico Mak Computing\WinZip\caution
    NoUnsafeTypeCautionForSCR
    1
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Xplorer
    "C:\WINDOWS\Xplorer.exe" /Windows
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
    BitNames
    NAP_TRACE_BASE NAP_TRACE_NETSH
  • HKCR\Interface\{D622E87A-35F9-4FB2-AFEE-4F5BF8407C7A}\TypeLib
    (Default)
    {FF14B02B-6EE4-400F-A729-B0EA35F921C2}
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Taskman
    C:\WINDOWS\system32\KHATRA.exe
  • HKCR\Interface\{1ECC44FB-970D-4BC8-90E3-002DA4DD21B8}\ProxyStubClsid32
    (Default)
    {00020420-0000-0000-C000-000000000046}
  • HKCR\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\0\win32
    (Default)
    C:\WINDOWS\system32\avphost.dll
  • HKCR\CLSID\{69620165-77DD-44EE-995C-3632E525A22B}\ProgID
    (Default)
    AOSMTP.FastSender.1
  • HKCR\Interface\{63BD4EE4-660B-434D-A54B-7C1F53E2FEDD}\ProxyStubClsid32
    (Default)
    {00020424-0000-0000-C000-000000000046}
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
    MaxFileSize
    0x00100000
  • HKCR\TypeLib\{FF14B02B-6EE4-400F-A729-B0EA35F921C2}\1.0\HELPDIR
    (Default)
    C:\WINDOWS\system32\
  • HKCR\AOSMTP.Mail.1\CLSID
    (Default)
    {F8D07B72-B4B4-46A0-ACC0-C771D4614B82}
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\TermService
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage
    Start
    0x00000004
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    C:\WINDOWS\system32\KHATRA.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\upnphost
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
    0x000000ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    VMware User Process
    C:\WINDOWS\Xplorer.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\srservice
    Start
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
Processes Created
  • c:\windows\system32\at.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\khatra.exe
  • c:\windows\system32\makecab.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\regsvr32.exe
  • c:\windows\system\ghost.exe
  • c:\windows\xplorer.exe

Example 3

Other vendor detection

Avira
TR/Autoit.mjc
Kaspersky
Trojan-Dropper.Win32.Autoit.k
Trend
WORM_UTOTI.AU

Runtime Analysis

Copies Itself To
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
  • C:\Documents and Settings\support\Local Settings\Application Data\Microsoft\CD Burning\support.exe
  • C:\KHATRA.exe
  • C:\WINDOWS\KHATARNAKH.exe
  • C:\WINDOWS\Xplorer.exe
  • C:\WINDOWS\system32\KHATRA.exe
  • C:\WINDOWS\system\gHost.exe
  • F:/KHATRA.exe
  • F:/New Folder(3).exe
  • F:/support.exe
Dropped Files
  • C:\WINDOWS\mario675.cab
  • C:\WINDOWS\kavSetupEng3857.cab
  • C:\WINDOWS\New WinZip File.cab
  • C:\WINDOWS\Youtube.cab
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_All Users_Start Menu_Programs_Startup_desktop.ini.FUCKED
  • C:\WINDOWS\inf\Autoplay.inF
  • C:\WINDOWS\new-screamsaver.com.cab
  • F:/AUTORUN.inF
  • C:\WINDOWS\fh_antivirussetup6534.cab
  • C:\WINDOWS\K.Backup\C_Drive_Documents and Settings_support_Start Menu_Programs_Startup_desktop.ini.FUCKED
  • C:\WINDOWS\New WinRAR archive.cab
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
Registry Keys Created
  • HKCU\Software\Nico Mak Computing\WinZip\caution
    NoUnsafeTypeCautionForEXE
    1
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Window Title
    Internet Exploiter
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoControlPanel
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Xplorer
    "C:\WINDOWS\Xplorer.exe" /Windows
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    AtTaskMaxHours
    0x00000000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    G_Host
    "C:\WINDOWS\System\gHost.exe" /Reproduce
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
    BitNames
    Error Unusual Info Debug
  • HKLM\SOFTWARE\KHATRA\Startup_List
    sfw_start
    sc start "Sophos Client Firewall"
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
    FileTracingMask
    0xffff0000
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Taskman
    C:\WINDOWS\system32\KHATRA.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
    ControlFlags
    0x00000001
Registry Keys Modified
  • HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    Start
    0x00000004
  • HKLM\SYSTEM\CurrentControlSet\Services\TermService
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoDriveTypeAutoRun
    0x000000ff
  • HKLM\SYSTEM\CurrentControlSet\Services\Schedule
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\RDSessMgr
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000000
  • HKLM\SYSTEM\CurrentControlSet\Services\mnmsrvc
    Start
    0x00000002
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    load
    C:\WINDOWS\system32\KHATRA.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\upnphost
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\srservice
    Start
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Services\ProtectedStorage
    Start
    0x00000004
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    MSPY2002
    C:\WINDOWS\Xplorer.exe
  • HKLM\SYSTEM\CurrentControlSet\Services\NtmsSvc
    Start
    0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue
    0x00000000
Processes Created
  • c:\windows\system32\at.exe
  • c:\windows\system32\cmd.exe
  • c:\windows\system32\khatra.exe
  • c:\windows\system32\makecab.exe
  • c:\windows\system32\netsh.exe
  • c:\windows\system32\regsvr32.exe
  • c:\windows\system\ghost.exe
  • c:\windows\xplorer.exe

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy