Decorates the SillyAutoRun worm
The presence of the SillyAutoRun.GP worm is quite striking as it changes the look of Internet Explorer.
A SillyAutoRun.GP worm doesn't really try to make it invisible, because it changes the background of Internet Explorer toolbars, changing their color, and placing a small image below the title bar. The Trojan tries to make it more difficult to manually remove it by copying itself to infected systems as SvcHost.exe, making it appear in the process list as if it were a Windows system process.
The worm is removable and tries to be uploaded to as many computers as possible through network drives. It places a new.exe file in the root directory of the drives and ensures that it can load automatically when you reconnect the storage.
When the SillyAutorun.GP worm starts, it performs the following actions:
- Create the following entry in the registration database:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ load
= “%Windows%\Tasks\SvcHost.exe” - Modify the following values in the registry:
HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar \ LinksFolderName = Links
HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar \ Locked = 0x1
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
ShowSuperHidden = 0x0 - It copies itself to the root directory of all accessible and writable (CP) drives as “New.exe” or “new.exe”. It also creates an autorun.inf file on these data stores.
- Changes the registry to change the background of Internet Explorer toolbars
HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar \
backBitmapShell = “%Windows%\system\bs.pif”
HKCU \ Software \ Microsoft \ Internet Explorer \ Toolbar \
backBitmapIE5 = “%Windows%\system\bs.pif”