Estudado por SentiniX
O worm AutoIt foi encontrado no computador de uma cliente deixa o processo malicioso csrcs.exe sendo executado, em determinados tempos baixa atualizações dele mesmo para o sistema, modificando arquivos da pasta system32 no arquivo DefaultBox worm AutoIt.zip contem informações e os arquivos que ele altera num sistema afetado, o arquivo logs worm AutoIt.pcap se encontra os logs do wireshark usado para monitorar os passos do worm na rede, e o arquivo virus.zip é o arquivo que é usado para infectar o sistema.
todas as senhas para descompactar o worm são: virus
Tome Muito Cuidado!
link para download:
Analise VirusTotal:
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2010.10.17.00 | 2010.10.16 | Worm/Win32.AutoIt |
| AntiVir | 7.10.12.230 | 2010.10.16 | Worm/AutoIt.566444 |
| Antiy-AVL | 2.0.3.7 | 2010.10.16 | – |
| Authentium | 5.2.0.5 | 2010.10.16 | W32/AutoIt.M.gen!Eldorado |
| Avast | 4.8.1351.0 | 2010.10.16 | AutoIt:Balero-C |
| Avast5 | 5.0.594.0 | 2010.10.16 | AutoIt:Balero-C |
| AVG | 9.0.0.851 | 2010.10.16 | Packed.AutoIt |
| BitDefender | 7.2 | 2010.10.17 | Trojan.Generic.4561030 |
| CAT-QuickHeal | 11.00 | 2010.10.15 | Trojan.AutoIt.gen |
| ClamAV | 0.96.2.0-git | 2010.10.15 | Trojan.Autoit-77 |
| Comodo | 6409 | 2010.10.16 | TrojWare.Win32.Autoit.~d01 |
| DrWeb | 5.0.2.03300 | 2010.10.17 | Win32.HLLW.Autoruner.based |
| Emsisoft | 5.0.0.50 | 2010.10.16 | Worm.Win32.AutoIt!IK |
| eSafe | 7.0.17.0 | 2010.10.14 | – |
| eTrust-Vet | None | 2010.10.15 | Win32/ASuspect.HAEGR |
| F-Prot | 4.6.2.117 | 2010.10.16 | W32/AutoIt.M.gen!Eldorado |
| F-Secure | 9.0.16160.0 | 2010.10.16 | Trojan.Generic.4561030 |
| Fortinet | 4.2.249.0 | 2010.10.16 | – |
| GData | 21 | 2010.10.17 | Trojan.Generic.4561030 |
| Ikarus | T3.1.1.90.0 | 2010.10.16 | Worm.Win32.AutoIt |
| Jiangmin | 13.0.900 | 2010.10.16 | Worm/AutoIt.oif |
| K7AntiVirus | 9.66.2760 | 2010.10.15 | Riskware |
| Kaspersky | 7.0.0.125 | 2010.10.17 | Worm.Win32.AutoIt.wy |
| McAfee | 5.400.0.1158 | 2010.10.17 | W32/Autorun.worm.zf.gen |
| McAfee-GW-Edition | 2010.1C | 2010.10.16 | W32/Autorun.worm.zf.gen |
| Microsoft | 1.6201 | 2010.10.16 | Worm:Win32/Autorun.XK |
| NOD32 | 5538 | 2010.10.17 | Win32/Packed.Autoit.B.Gen |
| Norman | 6.06.07 | 2010.10.16 | AutoRun.BKFV |
| nProtect | 2010-10-16.01 | 2010.10.16 | Trojan.Generic.4561030 |
| Panda | 10.0.2.7 | 2010.10.16 | Trj/Autoit.gen |
| PCTools | 7.0.3.5 | 2010.10.17 | Malware.Harakit!rem |
| Prevx | 3.0 | 2010.10.17 | – |
| Rising | 22.69.04.03 | 2010.10.15 | – |
| Sophos | 4.58.0 | 2010.10.17 | Sus/Tiotua-A |
| Sunbelt | 7075 | 2010.10.16 | Trojan.Win32.Generic!SB.0 |
| SUPERAntiSpyware | 4.40.0.1006 | 2010.10.16 | – |
| Symantec | 20101.2.0.161 | 2010.10.16 | W32.Harakit |
| TheHacker | 6.7.0.1.058 | 2010.10.16 | – |
| TrendMicro | 9.120.0.1004 | 2010.10.16 | TROJ_GEN.R4BC2HD |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.10.17 | TROJ_GEN.R4BC2HD |
| VBA32 | 3.12.14.1 | 2010.10.15 | Trojan.Autoit.F |
| ViRobot | 2010.9.25.4060 | 2010.10.16 | Worm.Win32.S.AutoIt.566444 |
| VirusBuster | 12.69.2.0 | 2010.10.16 | Worm.Autoit.Gen |
|
Additional information
|
|---|
| MD5 : 61ff362888f6ede74bd8d96b599cb681 |
| SHA1 : b40d03cd0c4fbdbcf84eaab665bfaa2361586cd0 |
| SHA256: f9c3406e2756e25dfca83c761d38d8e33ecccc224139e230505ebdacccda7ed2 |
| ssdeep: 12288:+nNhuBoY8SorxgmA+nlvVlAOllllSllllpM3Jd5xu2tHwZFsG2bWWQDhnmbkLls:+PatC g7EPrllllSllllpmtHwLstbWWQM |
| File size : 566444 bytes |
| First seen: 2010-08-19 09:58:50 |
| Last seen : 2010-10-16 23:23:54 |
| Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| TrID: UPX compressed Win32 Executable (43.8%) Win32 EXE Yoda’s Crypter (38.1%) Win32 Executable Generic (12.2%) Generic Win/DOS Executable (2.8%) DOS Executable Generic (2.8%) |
| sigcheck: publisher….: n/a copyright….: GjC)X_jLM2c product……: n/a description..: n/a original name: n/a internal name: n/a file version.: 99.8.1.0 comments…..: T__ signers……: – signing date.: – verified…..: Unsigned |
| PEiD: – |
| packers (Authentium): UPX |
| packers (F-Prot): UPX |
| packers (Kaspersky): UPX |
| PEInfo: PE structure information[[ basic data ]] entrypointaddress: 0xAFCC0 timedatestamp….: 0x4850E379 (Thu Jun 12 08:51:05 2008) machinetype……: 0x14C (Intel I386) [[ 3 section(s) ]] [[ 13 import(s) ]] |
| ExifTool: file metadata CharacterSet: Unicode CodeSize: 229376 Comments: T+< EntryPoint: 0xafcc0 FileFlagsMask: 0x0000 FileOS: Win32 FileSize: 553 kB FileSubtype: 0 FileType: Win32 EXE FileVersion: 99.8.1.0 FileVersionNumber: 99.8.1.0 ImageVersion: 0.0 InitializedDataSize: 122880 LanguageCode: Arabic LegalCopyright: GjC)X>jLM2c LinkerVersion: 8.0 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 ObjectFileType: Unknown PEType: PE32 ProductVersionNumber: 971.208.784.213 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2008:06:12 10:51:05+02:00 UninitializedDataSize: 487424 |
Projeto CharruaSecurity 