Type
: Worm
Category
: Win32
Also known as:
BackDoor-CKB (McAfee), Backdoor:Win32/PcClient (MS OneCare), Backdoor.Win32.PcClient.aai (Kaspersky), W32.SillyDC (Symantec), WORM_VB.CYC (Trend)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
31.2.5225
| CA Antivirus 2007
| |
31.2.5225
| eTrust Antivirus v7/8*
| |
7.x/5225
| eTrust EZ Antivirus 7.x
| |
31.2.5225
| Vet 7
| |
Description
Win32/SillyAutorun.D is a worm that spreads via removable drives.
The worm also targets Trend Micro's OfficeScan product files and registry keys. SillyAutorun.D has been distributed as a 24,576-byte, Win32 executable.
Back to top
Method of Infection
Win32/SillyAutorun.D executes when a previously infected removable drive is enabled and "AutoPlay" launches the worm.
The worm checks the path %SysDrive%:\Program Files\Trend micro\Officescan\ in an attempt to detect whether Trend Micro's OfficeScan product is installed. This would usually be C:\Program Files\Trend micro\Officescan\.
If the product directory is found, the worm copies itself to %SysDrive%:\Program Files\Trend micro\Officescan\KOfcpfwSvcs.exe and creates the following registry key to ensure it loads on the next user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KOfcpfwSvcs.exe = "%SysDrive%:\Program Files\Trend micro\Officescan\KOfcpfwSvcs.exe"
If the product directory is not detected, the worm copies itself to %System%\KOfcpfwSvcs.exe and creates the following registry key to ensure it loads on the next user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KOfcpfwSvcs.exe = "%System%\KOfcpfwSvcs.exe"
Note: %System% and %SysDrive% are variable locations. %System% refers to the location of the current System folder, while %SysDrive% refers to the drive letter where the System folder is found (usually C:\). The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.
Back to top
Method of Distribution
Via Removable Drives
Win32/SillyAutorun.D attempts to spread via removable drives, excluding A:\ and B:\.
The worm has two operating modes, firstly when launched from an infected removable drive and secondly when launched from an infected fixed drive.
In the first mode, the worm attempts to install to the fixed drive (see "Method of Infection" for more information) and then terminates.
In the second mode, the worm continuously scans for removable drives to infect and also attempts to terminate processes and rename system files (see "Payload" for more information). When a removable drive is found, the worm copies itself to the root of the removable drive as %Root Drive%\RECYCLER\RECYCLER\autorun.exe.
The file and path attributes are set to Hidden and Read-Only.
The worm also drops "autorun.inf" to the removable drive and sets the file attributes to Hidden and Read-Only.
Note: %Root Drive% is a variable location and refers to the root folder of the current drive.
Back to top
Payload
Terminates Process and Deletes File
Win32/SillyAutorun.D attempts to terminate any process named "OfcpfwSvcs.exe" and also attempts to delete the associated executable at %System%\OfcpfwSvcs.exe.
Renames Files
The worm modifies any files in the %System% directory matching the wildcard "y*.*" by renaming the file extension to ".000". For example, a file named "yes.exe" would be renamed "yes.000".
Analysis by Marc Marino
Back to top