USB Worm

My laptop happened to get infected with this worm recently. The way it is written is silly enough to catch it up easily. At times I hate windows shell because of its vulnerability even to such silly programs.

Once it is installed, it would not let you to open firefox giving crappy messages, and it will not let you open orkut.

The way it is written is quite simple.

It has basically two parts. 1) the worm in action 2) Another worm that reproduces this worm into removable disks.

An infected usb drive would have autorun.inf that kicks off a program (named MicrosoftPowerPoint.exe to confuse ppl) that copies a set of executables and vb script files into c:\heap41a. This folder contains another executable called svchost.exe (different from the usual svchost) that can execute vb scripts silently.

After copying this folder, it updates registry to set this svchost as winlogon script. So the moment, we login, this one gets executed with a vb script that keeps looking for “firefox”, “orkut” words in the title of any active window. Upon finding them it keeps giving crappy messages… and kills the active application.. some kiddish stuff.

This svchost would also run another vb script that keeps polling for a drive with the word “Removable”, once it finds it, it copies this MicrosoftPowerPoint.exe onto it along with autorun.inf.

When a removable disk is inserted into the usb port of an infected computer, it gets updated with this worm as a autorun program — an age old technique to propagate virus.

Another funny stuff it does is — all its files folders, it keeps as hidden, system files, so that user will not be able to see them. But you can see hidden, system files by turning on those options in explorer options. But, guess what, even if you turn that option on, you’ll not be able to see them — reason? — There is another thread running that keeps looking at the registry and turns off the flag that shows system,hidden files.

Bottom line is, windows shell is one single place to attack for most of the worms, viruses. I think anti virus softwares should be enhanced to trace registry updates and present user with malicious updates — similar to the way they are behaving when a program opens up a TCP connection.

Btw, I preserved that worm with me — to run better stuff behind the scenes to make my life easier.