Another AutoIt compiled Worm enters the Malware scene

February 14, 2014

The Dell Sonicwall Threats Research Team received reports of an AutoIt Script compiled Worm that gathers sensitive information from the victim machine and transmits it to a remote server via FTP. The stolen information may include browsing history, device hardware profile, ARP table, network configuration and periodically taken screen captures.

AutoIt is a popular scripting language for Windows that has been around for more than two decades. Ease-of-use is one of the main reasons for its popularity among developers, the same reason has attracted Malware writers to use this language more and more over the past few years. We have seen a rise in trend of AutoIt compiled Malware over the past few years and this trend is not likely to drop in the foreseeable future.

Infection Cycle

The Worm drops a copy of itself at the following location:

  • %Administrator%Start MenuProgramsStartUpLoveU.exe [Copy of itself]

It creates the following process to disable system firewall

  • C:Windowssystem32cmd.exe /c netsh firewall set opmode mode=disable

It shows the following message box which disappears after few moments

The Worm then starts gathering information about the system and stores this information locally. The Following table shows the commands and corresponding files that save the relevant information:

Additional information about the victim's machine is saved as follows:

The Worm then opens a FTP connection to koko[xxxxxx].com and sends this information to the server. Once sent, it deletes these files from the system.

The Worm has the following additional capabilities:

  • Scan for available removable drives and drops the malicious files onto them to spread further

  • Capture screenshot of the system

  • Send Mail from the system

Overall the main motive of this Worm is to gather information about the victim system and send it over to the attacker. We will continue to monitor this threat to see if further additions are made to increase its arsenal of capabilities.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Fucom.A (Worm)