Obfuscation and Polymorphism Separates “aaeh” Family from Other AutoRun Worms

McAfee experts have analyzed the W32/Autorun.worm.aaeh family

By on February 16th, 2013 10:35 GMT

Threats that rely on the AutoRun function to spread are highly common these days, but there’s one worm family that stands out of the crowd because of the obfuscation and polymorphism mechanisms it employs.

According to McAfee experts, the W32/Autorun.worm.aaeh family is very similar to other threats because it’s spread in the same manner.

However, for obfuscation, the malware’s authors are hiding their creation inside open-source VB6 projects taken from repositories.

While this is possibly an attempt to pass the worm off as a legitimate piece of software, experts found that the compiled binaries are encrypted using a randomly generated encryption key.

“The code is obfuscated and the developers appear to have used an automated code scrambler for the binary generation. The generated code uses junk API calls and string functions to further complicate any analysis,” Anti-Malware Researcher Sanchit Karve explained.

The complete technical analysis and advice on how to protect yourself against the threat are available here.

Comments