Turkish Delight

Today SophosLabs received a new worm from the field which was quite similar to the W32/SillyFD family, but different enough to make it a new family. Detection has been added as W32/Amca-A.

The worm is written  in VisualBasic by some Turkish hackers. The name is coming from a reference in the code saying “Paylasim Acma(C,D).exe“.

It has several components packed into a WinRar SFX. Besides installing itself into the system32 folder, it creates two simple command files  <System>\acd.cmd and <System>\acd2.cmd which are used to share the drives of the infected machines. These files contain a simple command:

net share PATRON1=d:\ /unlimited /remark:"RockStar"

Also, similarly to the SillyFD worms, it spreads to USB drives, creating 2 hidden files there: activexdebugger32.exe and Autorun.inf.  This latter one is used to autorun the exe when the drive is connected to a new machine.