How to Prevent and Remove the Worm.Win32.AutoIt.ux

Bookmark and Share

 

1. What is the Worm.Win32.AutoIt.ux

Worm.Win32.AutoIt.ux is a nasty worm that expands throughout the networks and targets random computers. Worm.Win32.AutoIt.ux is so tiny, that it would be impossible to detect this infection for the first time. However, it would become obvious when it gets to work. Such nasty worms will definitely change the settings of infiltrated system, so the computer would work in a wrong way. Moreover, Worm.Win32.AutoIt.ux has the ability to disable some recently used programs, as well as removing them at once. Nevertheless, the most dangerous feature of this infection is its aim to upload other viruses, adware or malware. They would be installed without your agreements and will fully damage the host computer in a few minutes. Worm.Win32.AutoIt.ux can also overwrite or change various files, so it doesn’t need some special abilities, in order to make your PC be inhibited with great number of infections and errors. For these reasons, you must fully removed Worm.Win32.AutoIt.ux and everything connected with it at once, without thinking twice whether you need it or not.

Alias: Malware.Imaut.C!rem [PCTools],W32.Imaut.CN [Symantec],Worm.Autoit [Ikarus],packed with: UPX [Kaspersky Lab]  

 

2.Technical Details:

 

a. The following files were created in the system:

 

No. Filename Size
1 %System%\autorun.ini 924 bytes
2 [file and pathname of the sample #1]
%System%\winfiles.exe
%Windir%\winfiles.exe		 93,696 bytes
3 %Windir%\Tasks\At1.job 107,008 bytes
4 %Windir%\winnt.exe 117,248 bytes
  • Notes:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

  • There were new memory pages created in the address space of the system process(es):
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 733,184 bytes
winfiles.exe %System%\winfiles.exe 733,184 bytes
winfiles.exe %Windir%\winfiles.exe 733,184 bytes

c.  Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
      • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
        • UACDisableNotify = 0x00000000
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
        • EnableLUA = 0x00000000
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
        • LimitSystemRestoreCheckpointing = 0x00000001
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
        • DisableSR = 0x00000001

        to disable the System Restore tools on the Start menu
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
        • DisableTaskMgr = 0x00000001
        • DisableRegistryTools = 0x00000001

        to prevent users from starting Task Manager (Taskmgr.exe)
        to disable the Windows registry editors (Regedt32.exe and Regedit.exe)
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • Yahoo Messengger = "%System%\winfiles.exe"

        so that winfiles.exe runs every time Windows starts
    • The following Registry Values were modified:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
        • CheckedValue =
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
        • Shell =
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
        • NoDriveTypeAutoRun =

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    66.45.237.212 80
    69.10.48.106 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://nhatquanglane3.t35.com/setting.nql
      • http://nhatquanglane3.t35.com/setting.xls
      • http://nhatquanglane4.t35.com/setting.nql
      • http://nhatquanglane4.t35.com/setting.xls

     

    3. How-to's

    a. How to prevent the  Worm.Win32.AutoIt.ux ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Worm.Win32.AutoIt.ux Manually?

    Step 1 : Use Windows Task Manager to Remove Worm.Win32.AutoIt.ux Processes

    [file and pathname of the sample #1]
    %System%\winfiles.exe
    %Windir%\winfiles.exe

    Step 2 : Use Registry Editor to Remove Worm.Win32.AutoIt.ux Registry Values
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    The newly created Registry Values are:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    UACDisableNotify = 0x00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    EnableLUA = 0x00000000
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
    LimitSystemRestoreCheckpointing = 0x00000001
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
    DisableSR = 0x00000001


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    DisableTaskMgr = 0x00000001
    DisableRegistryTools = 0x00000001



    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    Yahoo Messengger = "%System%\winfiles.exe"


    The following Registry Values were modified:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    CheckedValue =
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    Shell =
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    NoDriveTypeAutoRun =

    Step3: Detect and Delete Other Worm.Win32.AutoIt.ux Files

    %System%\autorun.ini
    [file and pathname of the sample #1]
    %System%\winfiles.exe
    %Windir%\winfiles.exe
    %Windir%\Tasks\At1.job
    %Windir%\winnt.exe

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•