Trojan.Win32.Autoit.ci

Technical Details
Payload
Removal instructions

Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a compiled AutoIt script. It is 617 473 bytes in size. It is packed using ASPack. The unpacked file is approximately 678 KB in size.

Installation

Once launched, the Trojan copies its body to the following files:

%System%\regsvr.exe (the file is created with the "hidden" attribute)
%System%\svchost.exe (the file is created with the "hidden" attribute)
%WinDir%\regsvr.exe

In order to ensure that it is launched automatically each time the system is rebooted, the Trojan add links to its copies to the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Msn Messsenger" = "%System%\regsvr.exe"

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "... regsvr.exe"

This way the original Trojan file will be launched by the process "winlogon.exe" even if Windows boots up in safe mode.

Payload

Once launched, the Trojan performs the following actions:

• It attempts to connect to the following HTTP servers:

  87.***.14
  69.***.224
  

• It creates the directory:

  %System%\<rnd>

  where <rnd> is a random five-digit decimal number.
• It extracts a file from its body and saves it in the system as:

  %System%\<rnd>\svchost.exe

  (525 312 bytes; detected by Kaspersky Anti-Virus as "not-a-virus:Monitor.Win32.Ardamax.ae")
• It launches the extracted file for execution.
• It modifies the values of the following system registry keys:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
  "NofolderOptions" = 0
  
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableTaskMgr" = 0
  
  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
  "DisableRegistryTools" = 1
  

  The modification of the last key disables the registry editor.
• It creates the file:

  %System%\setup.ini (96 bytes)

  with the following content:

  [Autorun]
  Open=regsvr.exe
  Shellexecute=regsvr.exe
  Shell\Open\command=regsvr.exe
  Shell=Open
  

• It launches the system command interpreter "cmd.exe" with the following parameters:

  /C AT /delete /yes

  This cancels all scheduled tasks in Windows Task Scheduler.

  /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %System%\svchost.exe

Every day at 9:00, Windows Task Scheduler will launch a copy of the Trojan.

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Delete the following system registry key (see What is a system registry and how do I use it?):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Msn Messsenger" = "%System%\regsvr.exe"
   

4. Delete the following file:

   %System%\setup.ini

5. Restore the original system registry key values (see What is a system registry and how do I use it?):

   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "... regsvr.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   "NofolderOptions" = 0
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableTaskMgr" = 0
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   "DisableRegistryTools" = 1
   

6. Launch the system command interpreter "cmd.exe" with the following parameters:

   /C AT /delete /yes 

7. Reboot the computer.
8. Delete the following files:

   %System%\regsvr.exe
   %System%\svchost.exe
   %WinDir%\regsvr.exe
   %System%\<rnd>\svchost.exe 
   

9. Delete the folder created by the Trojan:

   %System%\<rnd>

10. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).