Encyclopedia

Autorun.IYQ

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Autorun.IYQ carries out many modifications in the Windows Registry of the affected computer, which have the following consequences:

  • It prevents the computer from being started in safe mode.
  • It automatically starts the devices inserted into a drive.
  • It does not allow to write on the removable devices. Therefore, no file can be copied to the device.
  • It uses several techniques in order to make its detection more difficult:
    - It hides the files and folders with hidden attributes.
    - It hides the operating system files.
  • It adds two new entries to the context menu of the drives of My Computer, which point to a copy of the worm:

  • It prevents many files from being run, which belong to different security programs.
  • It disables the following services, which are part of the Windows Security Center:
    - Wuauserv: Windows Update AutoUpdate Service
    - Wscsvc: Windows Security Center Service
    - SharedAccess: Windows Firewall Service
    - Helpsvc: Help Service
    - RSPPSYS

Additionally, it carries out the following actions:

  • It modifies the system date, changing it to 2005-4-20.
  • It connects to the following URLs, among others:
    http://www.gx<blocked>anjian.com
    http://www.67    <blocked>77.com
    http://sj    <blocked>qb.cn
    http://qq.xt    <blocked>uan.cn

Infection strategy 

Autorun.IYQ creates the following files, which are copies of itself:

  • UDKSX.EXE, in the root directory of the C: drive and in the Windows system directory.
  • ANURG.EXE, in the Windows system directory.

Additionally, it creates an AUTORUN.INF file in both directories, so that the copies of the worm are automatically run when they are accessed.

 

Autorun.IYQ replaces the file HOSTS of the drivers folder from the Windows system directory with an empty file.

 

Autorun.IYQ creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    anurg.exe = %sysdir%\anurg.exe
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    udksx.exe = %sysdir%\udksx.exe
    By creating these entries, Autorun.IYQ ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoDriveTypeAutoRun = 91
    It automatically starts the devices inserted into a drive.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
    WriteProtect = 00, 00, 00, 00
    It does not allow to write on the removable drives.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ MountPoints2\ {deb59403-ec73-11d6-ab8e-806d6172696f}\ shell\ explore
    (Default) = ×ÊÔ´¹ÜÀíÆ÷(&X)
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ MountPoints2\ {deb59403-ec73-11d6-ab8e-806d6172696f}\ shell\ explore\ Command
    (Default) = C:\udksx.exe
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ MountPoints2\ {deb59403-ec73-11d6-ab8e-806d6172696f}\ shell\ open
    (Default) = ´ò¿ª(&O)
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ MountPoints2\ {deb59403-ec73-11d6-ab8e-806d6172696f}\ shell\ open\ Command
    (Default) = C:\udksx.exe
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ MountPoints2\ {deb59403-ec73-11d6-ab8e-806d6172696f}\ shell\ open\ Default
    (Default) = 1
    By creating these entries, it adds two new entries that point to a copy of itself in the context menu of the drives of My Computer.

 

Additionally, it creates many entries in the Windows Registry in order to prevent certain files belonging to different security programs from being run. Some of the entries it creates are the following:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe

 

Autorun.IYQ modifies the following entries from the Windows Registry, making certain services from the Windows Security Center be disabled:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%Servicename%
    Start = 02, 00, 00, 00
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%Servicename%
    Start = 04, 00, 00, 00
    where %servicename% belong to the following services:
    - Wuauserv: Windows Update AutoUpdate Service
    - Wscsvc: Windows Security Center Service
    - SharedAccess: Windows Firewall Service
    - Helpsvc: Help Service
    - RSPPSYS

Additionally, Autorun.IYQ modifies the following entries from the Windows Registry in order to hide itself and make its detection more difficult:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden = 00, 00, 00, 00
    It hides the operating system files.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden = 00, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    Type = checkbox
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    Type = checkbox2
    By modifying these two entries, it hides the files and folders with hidden attributes.

 

Autorun.IYQ deletes the following entries from the Windows Registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    By deleting these two entries, it prevents the computer from being started in safe mode.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = 01, 00, 00, 00
    It prevents the hidden system files to be viewed.

Means of transmission 

Autorun.IYQ reaches the computer in a file with the icon of a picture:

Autorun.IYQ spreads via the system drives: mapped, shared and removable. It creates a copy of itself in the root directory of all the drives. Additionally, it creates an AUTORUN.INF file in those drives, so that the copy of itself is automatically run whenever any of them is accessed.

Further Details  

Autorun.IYQ is written in the programming language  Delphi. This worm is 34,396 bytes in size and is compressed with NSPack and FSG.

Last updated:  05/10/2009 

Virus News

3/10/09.-More than 10 Million Worldwide Were Actively Exposed to Identity Theft in 2008

3/5/09.-Cyber-crooks manipulate Internet searches to sell fake antivirus products

3/2/09.-VideoPlay adware infections grew 400% in February through malicious use of Web 2.0 pages

[+ Noticias]