Estudado por SentiniX
O worm AutoIt foi encontrado no computador de uma cliente deixa o processo malicioso csrcs.exe sendo executado, em determinados tempos baixa atualizações dele mesmo para o sistema, modificando arquivos da pasta system32 no arquivo DefaultBox worm AutoIt.zip contem informações e os arquivos que ele altera num sistema afetado, o arquivo logs worm AutoIt.pcap se encontra os logs do wireshark usado para monitorar os passos do worm na rede, e o arquivo virus.zip é o arquivo que é usado para infectar o sistema.
todas as senhas para descompactar o worm são: virus
Tome Muito Cuidado!
link para download:
Analise VirusTotal:
Antivirus | Version | Last Update | Result |
---|---|---|---|
AhnLab-V3 | 2010.10.17.00 | 2010.10.16 | Worm/Win32.AutoIt |
AntiVir | 7.10.12.230 | 2010.10.16 | Worm/AutoIt.566444 |
Antiy-AVL | 2.0.3.7 | 2010.10.16 | – |
Authentium | 5.2.0.5 | 2010.10.16 | W32/AutoIt.M.gen!Eldorado |
Avast | 4.8.1351.0 | 2010.10.16 | AutoIt:Balero-C |
Avast5 | 5.0.594.0 | 2010.10.16 | AutoIt:Balero-C |
AVG | 9.0.0.851 | 2010.10.16 | Packed.AutoIt |
BitDefender | 7.2 | 2010.10.17 | Trojan.Generic.4561030 |
CAT-QuickHeal | 11.00 | 2010.10.15 | Trojan.AutoIt.gen |
ClamAV | 0.96.2.0-git | 2010.10.15 | Trojan.Autoit-77 |
Comodo | 6409 | 2010.10.16 | TrojWare.Win32.Autoit.~d01 |
DrWeb | 5.0.2.03300 | 2010.10.17 | Win32.HLLW.Autoruner.based |
Emsisoft | 5.0.0.50 | 2010.10.16 | Worm.Win32.AutoIt!IK |
eSafe | 7.0.17.0 | 2010.10.14 | – |
eTrust-Vet | None | 2010.10.15 | Win32/ASuspect.HAEGR |
F-Prot | 4.6.2.117 | 2010.10.16 | W32/AutoIt.M.gen!Eldorado |
F-Secure | 9.0.16160.0 | 2010.10.16 | Trojan.Generic.4561030 |
Fortinet | 4.2.249.0 | 2010.10.16 | – |
GData | 21 | 2010.10.17 | Trojan.Generic.4561030 |
Ikarus | T3.1.1.90.0 | 2010.10.16 | Worm.Win32.AutoIt |
Jiangmin | 13.0.900 | 2010.10.16 | Worm/AutoIt.oif |
K7AntiVirus | 9.66.2760 | 2010.10.15 | Riskware |
Kaspersky | 7.0.0.125 | 2010.10.17 | Worm.Win32.AutoIt.wy |
McAfee | 5.400.0.1158 | 2010.10.17 | W32/Autorun.worm.zf.gen |
McAfee-GW-Edition | 2010.1C | 2010.10.16 | W32/Autorun.worm.zf.gen |
Microsoft | 1.6201 | 2010.10.16 | Worm:Win32/Autorun.XK |
NOD32 | 5538 | 2010.10.17 | Win32/Packed.Autoit.B.Gen |
Norman | 6.06.07 | 2010.10.16 | AutoRun.BKFV |
nProtect | 2010-10-16.01 | 2010.10.16 | Trojan.Generic.4561030 |
Panda | 10.0.2.7 | 2010.10.16 | Trj/Autoit.gen |
PCTools | 7.0.3.5 | 2010.10.17 | Malware.Harakit!rem |
Prevx | 3.0 | 2010.10.17 | – |
Rising | 22.69.04.03 | 2010.10.15 | – |
Sophos | 4.58.0 | 2010.10.17 | Sus/Tiotua-A |
Sunbelt | 7075 | 2010.10.16 | Trojan.Win32.Generic!SB.0 |
SUPERAntiSpyware | 4.40.0.1006 | 2010.10.16 | – |
Symantec | 20101.2.0.161 | 2010.10.16 | W32.Harakit |
TheHacker | 6.7.0.1.058 | 2010.10.16 | – |
TrendMicro | 9.120.0.1004 | 2010.10.16 | TROJ_GEN.R4BC2HD |
TrendMicro-HouseCall | 9.120.0.1004 | 2010.10.17 | TROJ_GEN.R4BC2HD |
VBA32 | 3.12.14.1 | 2010.10.15 | Trojan.Autoit.F |
ViRobot | 2010.9.25.4060 | 2010.10.16 | Worm.Win32.S.AutoIt.566444 |
VirusBuster | 12.69.2.0 | 2010.10.16 | Worm.Autoit.Gen |
Additional information
|
---|
MD5 : 61ff362888f6ede74bd8d96b599cb681 |
SHA1 : b40d03cd0c4fbdbcf84eaab665bfaa2361586cd0 |
SHA256: f9c3406e2756e25dfca83c761d38d8e33ecccc224139e230505ebdacccda7ed2 |
ssdeep: 12288:+nNhuBoY8SorxgmA+nlvVlAOllllSllllpM3Jd5xu2tHwZFsG2bWWQDhnmbkLls:+PatC g7EPrllllSllllpmtHwLstbWWQM |
File size : 566444 bytes |
First seen: 2010-08-19 09:58:50 |
Last seen : 2010-10-16 23:23:54 |
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
TrID: UPX compressed Win32 Executable (43.8%) Win32 EXE Yoda’s Crypter (38.1%) Win32 Executable Generic (12.2%) Generic Win/DOS Executable (2.8%) DOS Executable Generic (2.8%) |
sigcheck: publisher….: n/a copyright….: GjC)X_jLM2c product……: n/a description..: n/a original name: n/a internal name: n/a file version.: 99.8.1.0 comments…..: T__ signers……: – signing date.: – verified…..: Unsigned |
PEiD: – |
packers (Authentium): UPX |
packers (F-Prot): UPX |
packers (Kaspersky): UPX |
PEInfo: PE structure information[[ basic data ]] entrypointaddress: 0xAFCC0 timedatestamp….: 0x4850E379 (Thu Jun 12 08:51:05 2008) machinetype……: 0x14C (Intel I386) [[ 3 section(s) ]] [[ 13 import(s) ]] |
ExifTool: file metadata CharacterSet: Unicode CodeSize: 229376 Comments: T+< EntryPoint: 0xafcc0 FileFlagsMask: 0x0000 FileOS: Win32 FileSize: 553 kB FileSubtype: 0 FileType: Win32 EXE FileVersion: 99.8.1.0 FileVersionNumber: 99.8.1.0 ImageVersion: 0.0 InitializedDataSize: 122880 LanguageCode: Arabic LegalCopyright: GjC)X>jLM2c LinkerVersion: 8.0 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 ObjectFileType: Unknown PEType: PE32 ProductVersionNumber: 971.208.784.213 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2008:06:12 10:51:05+02:00 UninitializedDataSize: 487424 |