Discovery of Polymorphic AutoRun Worm by McAfee Researchers
According to security firm McAfee, W32/Autorun.worm.aaeb-h can be defined by an evolved, virtual machine-aware AutoRun worm capable of using polymorphic techniques so that detection can be evaded and infection of removable media can be made possible.
A victim's machine is easily infected through e-mail spam, Blacole drive-by downloads, or downloads by BackDoor-FJW by the W32/Autorun.worm.aaeh family. Thus, it seems like any other thumb-drive contaminating worm, which adds to an autorun.inf file on all detachable drives and network shares. It also has an icon that resembles a folder icon that befools people into double-clicking it and infecting ZIP and RAR archives. However, the level of obfuscation and polymorphism utilized by it is the only unique factor.
However, as pertinent, the malware writers are concealing their creation inside open-source VB6 projects that are taken from repositories.
Though this is possibly an attempt to pass off the legitimate piece of software, experts have found that the accumulated binaries are encrypted by employing a arbitrarily generated encryption key.
An automated code scrambler is used by the developers for binary generation as the original code is obfuscated. The generated code then employs junk API calls and string functions that further complicates the analysis, explained Sanchit Karve, McAfee's Anti-Malware Researcher in a statement published by softpedia.com on February 16, 2013.
According to the highlights by Karve, this threat has been evolved there for more than a year. According to Karve, it has been denoted that the earliest samples were not complex as these are at present. The software has been evolved by the authors by encrypting everything that is important with a single round of RC4 encryption. However, some more new variants also use an additional round of RC4, as published by McAfee.com on February 15, 2013.
However, the worm has been noticed to change relevant directories in an attempt to remain concealed in infected drives. The worm at the same time is also replicating itself as that unseen directory file and also as a "secret.exe," "sexy.exe," "porn.exe," and "passwords.exe" among the other most apparent and alluring things as claimed by McAfee as an effort to trick latest users for running the spiteful executables.
Related article: Discovery of More Politically Motivated Spam in the US
» SPAMfighter News - 25-02-2013