Recently we have seen a spike in a Visual Basic 6-compiled AutoRun worm family. The family is both client- and server-side polymorphic. (For more on this family, refer to our VIL and Advisory entries.)
The W32/Autorun.worm.aaeh family usually gets on a victim’s machine through email spam, Blacole drive-by downloads, or downloads by BackDoor-FJW. From a behavioral perspective, it looks like any other thumb-drive infecting worm. It adds an autorun.inf file on all removable drives and network shares, has an icon resembling a folder icon to trick people into double-clicking it, and infects ZIP and RAR archives. What separates this worm from the rest, however, is the level of obfuscation and polymorphism that it employs.
This family is known to package itself with open-source VB6 projects taken from repositories on the web as an obfuscation mechanism. It appears that the author achieves this by downloading an existing VB6 project with GUI components (forms, user-defined controls, etc.), including the malicious code inside the project and switching the Startup Object as “Sub Main” so that only the malware gets control–instead of the original project’s event handlers. This is possibly an attempt to pose as legitimate software. However, the compiled binaries typically never contain clearly visible strings required by the malware, and are instead encrypted with the RC4 algorithm using a randomly generated encryption key. The files may also be either p-code compiled or native VB6 compiled. The code is obfuscated and they developers appear to have used an automated code scrambler for the binary generation. The generated code uses junk API calls and string functions to further complicate any analysis (described below).
Internals
This threat has been around for more than a year and has evolved. I should note that the earliest samples from this family weren’t nearly as complex as they are today. Some of the oldest samples didn’t encrypt all the strings (MD5:A858514E09637B9B84FD207CED38657B), but the authors have evolved their software (MD5:65CCF15E6224444AAC1141BA210A35C2) by encrypting everything important with a single round of RC4 encryption. Some new variants use an additional round of RC4 (MD5:DCEF805C893A0515C7A0BA117F13CDC3).
When this family first executes, it performs the following operations:
(Boldface items apply only to the new variants that use two rounds of RC4.)
- Checks if only one instance of the application is running, else quits
- Opens itself with File Read permission
- Searches for its encrypted data, which later decrypts to its strings. It needs to obtain a key for decryption. The key is built from two subkeys.
- Key1 is obtained from the application title
- Key2 is a hardcoded ASCII byte key
- Performs RC4 decryption over encrypted data using key2 (Layer 1 Decryption)
- Performs RC4 decryption over encrypted data using using key1 (Layer 2 Decryption)
- Splits strings based on vbCrLf as decrypted strings appear as one large string delimited by vbCrLf
- Performs malicious activity and refers to decrypted strings for API functions, DLLs, filenames, URLs, and other information.
Aside from having the code compiled in native mode and p-code to generate separate binaries that display identical behavior, the author uses various techniques.
Unnecessary Strings
The following image shows strings in clear text that have no relevance to the malware.
Random VB6 Library Function Calls
The next image shows various VB6 function calls that have no relevance to the malware.
Polymorphism
Besides using the usual tricks, such as register swaps and code merging, this family is capable of using different sets of instructions to implement the same feature. For example, some samples may use polymorphic code for performing RC4, as shown below:
The same routine also appears in other samples using floating-point instructions:
Next we see a dump of the decrypted strings:
| advapi32 CloseHandle connect CreateToolhelp32Snapshot GetDiskFreeSpaceExW GetDriveTypeW GetFileAttributesW GetLogicalDrives GetLogicalDriveStringsW CreateMutexW GetModuleHandleW GetUserNameW ExitProcess htons InternetCloseHandle InternetOpenUrlW InternetOpenW InternetReadFile kernel32 OpenProcess Process32First recv shell32 ShellExecuteW SHGetSpecialFolderPathW Sleep socket TerminateProcess user32 wininet WriteProcessMemory WSAStartup ws2_32 RegCreateKeyExW RegSetValueExW RegCloseKey Software\Microsoft\Windows\CurrentVersion\Run\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ShowSuperHidden autorun.inf .exe :.dl &h Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) [autorun] action= open= useautoplay=1 view files abcedfghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ aeiou bcdfghjklmnpqrstvwxyz ico task proc x.mpeg Secret Sexy Porn Passwords BeginUpdateResourceW UpdateResourceW EndUpdateResourceW .scr CsrGetProcessId TerminateThread SetWindowLongW CallWindowProcW OpenMutexW Process32Next ntdll NtTerminateProcess gethostbyname SetFileAttributesW DeleteFileW CopyFileW SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU cmd /c tasklist&&del mp3,avi,wma,wmv,wav,mpg,mp4,doc,txt,pdf,xls,jpg,jpe,bmp,gif,tif,png RECYCLER SetTimer GetProcAddress RtlMoveMemory RegOpenKeyW RegDeleteValueW RegisterClassW CreateWindowExW DefWindowProcW GetMessageW WaitMessage ShowWindow ReleaseMutex NoAutoUpdate GetForegroundWindow GetWindowTextW Software\Microsoft\Windows NT\CurrentVersion\Windows .com .net .org .biz .info config registry Load Run = : . \ exe [ ] / .at .eu .by oq2*mckxjbnof} runme 8B4C240851<PATCH1>E8<PATCH2>5989016631C0C3 <PATCH1> <PATCH2> FindFirstFileW FindNextFileW FindClose GetShortPathNameW zip rar * \WinRAR\Rar.exe a -y -ep -IBCK 1 2 4 14 63 32768 32772 2035711 67108864 -4 -2147483646 -2147483647 sbiedll dbghelp snxhk SYSTEM\ControlSet001\Services\Disk\Enum *VIRTUAL* *VMWARE* *VBOX* *QEMU* RegQueryValueExW xxx |
From the strings we can see that this threat is VM-aware and capable of infecting RAR and ZIP files. The numbers (1, 2, 3, 14, 63) are used to randomly generate domain names based on table lookups, etc.
The worm can download other prevalent families, such as ZBot, and it’s clear that the payload families use the worm’s spreading mechanism as a propagation vector.
What Can You Do?
This family hasn’t shown signs of fading away (more than a million files on VirusTotal belong to this family), but with a few simple steps, you can avoid getting infected by this annoying worm.
- Don’t click links in spam emails that promise free stuff or suggest new ways to make a quick buck. Don’t execute software that arrives via spam.
- Disable the AutoRun feature on Windows
- Refrain from opening files named “secret,” “sexy,” “porn,” or “passwords” from unknown sources
- Don’t open any executable file with a shady application name (visible through a tool tip when you hover your mouse near a file or by right-clicking the file and selecting properties)
- Don’t open any executable file that looks like a folder icon with blurred edges
- Read our Threat Advisory for more information
McAfee products detect this family as W32/Autorun.worm.aaeh and W32/Autorun.worm.aaeh!gen.
Don’t forget to sign up for our Notification Services, which are available via email or apps on your mobile device.