Polymorphic AutoRun Worm Evolves and Obfuscates

Recently we have seen a spike in a Visual Basic 6-compiled AutoRun worm family. The family is both client- and server-side polymorphic. (For more on this family, refer to our VIL and Advisory entries.)

The W32/Autorun.worm.aaeh family usually gets on a victim’s machine through email spam, Blacole drive-by downloads, or downloads by BackDoor-FJW. From a behavioral perspective, it looks like any other thumb-drive infecting worm. It adds an autorun.inf file on all removable drives and network shares, has an icon resembling a folder icon to trick people into double-clicking it, and infects ZIP and RAR archives. What separates this worm from the rest, however, is the level of obfuscation and polymorphism that it employs.

This family is known to package itself with open-source VB6 projects taken from repositories on the web as an obfuscation mechanism. It appears that the author achieves this by downloading an existing VB6 project with GUI components (forms, user-defined controls, etc.), including the malicious code inside the project and switching the Startup Object as “Sub Main” so that only the malware gets control–instead of the original project’s event handlers. This is possibly an attempt to pose as legitimate software. However, the compiled binaries typically never contain clearly visible strings required by the malware, and are instead encrypted with the RC4 algorithm using a randomly generated encryption key. The files may also be either p-code compiled or native VB6 compiled. The code is obfuscated and they developers appear to have used an automated code scrambler for the binary generation. The generated code uses junk API calls and string functions to further complicate any analysis (described below).

Internals

This threat has been around for more than a year and has evolved. I should note that the earliest samples from this family weren’t nearly as complex as they are today. Some of the oldest samples didn’t encrypt all the strings (MD5:A858514E09637B9B84FD207CED38657B), but the authors have evolved their software (MD5:65CCF15E6224444AAC1141BA210A35C2) by encrypting everything important with a single round of RC4 encryption. Some new variants use an additional round of RC4 (MD5:DCEF805C893A0515C7A0BA117F13CDC3).

When this family first executes, it performs the following operations:
(Boldface items apply only to the new variants that use two rounds of RC4.)

  • Checks if only one instance of the application is running, else quits
  • Opens itself with File Read permission
  • Searches for its encrypted data, which later decrypts to its strings. It needs to obtain a key for decryption. The key is built from two subkeys.
  • Key1 is obtained from the application title
  • Key2 is a hardcoded ASCII byte key
  • Performs RC4 decryption over encrypted data using key2 (Layer 1 Decryption)
  • Performs RC4 decryption over encrypted data using using key1 (Layer 2 Decryption)
  • Splits strings based on vbCrLf as decrypted strings appear as one large string delimited by vbCrLf
  • Performs malicious activity and refers to decrypted strings for API functions, DLLs, filenames, URLs, and other information.

Aside from having the code compiled in native mode and p-code to generate separate binaries that display identical behavior, the author uses various techniques.

Unnecessary Strings

The following image shows strings in clear text that have no relevance to the malware.

image

 

Random VB6 Library Function Calls

The next image shows various VB6 function calls that have no relevance to the malware.

image

Polymorphism

Besides using the usual tricks, such as register swaps and code merging, this family is capable of using different sets of instructions to implement the same feature. For example, some samples may use polymorphic code for performing RC4, as shown below:

image

The same routine also appears in other samples using floating-point instructions:

image

Next we see a dump of the decrypted strings:

advapi32
CloseHandle
connect
CreateToolhelp32Snapshot
GetDiskFreeSpaceExW
GetDriveTypeW
GetFileAttributesW
GetLogicalDrives
GetLogicalDriveStringsW
CreateMutexW
GetModuleHandleW
GetUserNameW
ExitProcess
htons
InternetCloseHandle
InternetOpenUrlW
InternetOpenW
InternetReadFile
kernel32
OpenProcess
Process32First
recv
shell32
ShellExecuteW
SHGetSpecialFolderPathW
Sleep
socket
TerminateProcess
user32
wininet
WriteProcessMemory
WSAStartup
ws2_32
RegCreateKeyExW
RegSetValueExW
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden
autorun.inf
.exe
:.dl
&h
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
[autorun]
action=
open=
useautoplay=1
view files
abcedfghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
aeiou
bcdfghjklmnpqrstvwxyz
ico
task
proc
x.mpeg
Secret
Sexy
Porn
Passwords
BeginUpdateResourceW
UpdateResourceW
EndUpdateResourceW
.scr
CsrGetProcessId
TerminateThread
SetWindowLongW
CallWindowProcW
OpenMutexW
Process32Next
ntdll
NtTerminateProcess
gethostbyname
SetFileAttributesW
DeleteFileW
CopyFileW
SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
cmd /c tasklist&&del
mp3,avi,wma,wmv,wav,mpg,mp4,doc,txt,pdf,xls,jpg,jpe,bmp,gif,tif,png
RECYCLER
SetTimer
GetProcAddress
RtlMoveMemory
RegOpenKeyW
RegDeleteValueW
RegisterClassW
CreateWindowExW
DefWindowProcW
GetMessageW
WaitMessage
ShowWindow
ReleaseMutex
NoAutoUpdate
GetForegroundWindow
GetWindowTextW
Software\Microsoft\Windows NT\CurrentVersion\Windows
.com
.net
.org
.biz
.info
config
registry
Load
Run
=
:
.
\
exe
[
]
/
.at
.eu
.by
oq2*mckxjbnof}
runme
8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3
<PATCH1>
<PATCH2>
FindFirstFileW
FindNextFileW
FindClose
GetShortPathNameW
zip
rar
*
\WinRAR\Rar.exe
a -y -ep -IBCK
1
2
4
14
63
32768
32772
2035711
67108864
-4
-2147483646
-2147483647
sbiedll
dbghelp
snxhk
SYSTEM\ControlSet001\Services\Disk\Enum
*VIRTUAL*
*VMWARE*
*VBOX*
*QEMU*
RegQueryValueExW
xxx

From the strings we can see that this threat is VM-aware and capable of infecting RAR and ZIP files. The numbers (1, 2, 3, 14, 63) are used to randomly generate domain names based on table lookups, etc.

The worm can download other prevalent families, such as ZBot, and it’s clear that the payload families use the worm’s spreading mechanism as a propagation vector.

What Can You Do?

This family hasn’t shown signs of fading away (more than a million files on VirusTotal belong to this family), but with a few simple steps, you can avoid getting infected by this annoying worm.

  • Don’t click links in spam emails that promise free stuff or suggest new ways to make a quick buck. Don’t execute software that arrives via spam.
  • Disable the AutoRun feature on Windows
  • Refrain from opening files named “secret,” “sexy,” “porn,” or “passwords” from unknown sources
  • Don’t open any executable file with a shady application name (visible through a tool tip when you hover your mouse near a file or by right-clicking the file and selecting properties)
  • Don’t open any executable file that looks like a folder icon with blurred edges
  • Read our Threat Advisory for more information

McAfee products detect this family as W32/Autorun.worm.aaeh and W32/Autorun.worm.aaeh!gen.

Don’t forget to sign up for our Notification Services, which are available via email or apps on your mobile device.