Content

W32/USBAuto.worm!rootkit

Type
Virus
SubType
Worm
Discovery Date
05/11/2007
Length
varies
Minimum DAT
5029 (05/11/2007)
Updated DAT
5656 (06/24/2009)
Minimum Engine
5.1.00
Description Added
05/11/2007
Description Modified
06/07/2007 3:44 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Note: File names and registry entries listed here may vary with different versions of the malware. Hence this is a generic description.

Upon execution, this malware copies inself into the following location.

  • C:\Windows\system32\internt.exe

This file is then executed and installed as a rootkit, such that its process is not visible under the process list.

It modifies the following registry entry for loading at system startup.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
    Data : C:\Windows\system32\userinit.exe, C:\Windows\system32\internt.exe

It then copies itself, along with an autorun.inf file, to all the removable USB media.

Symptoms

Presence of the files and registry entries mentioned.

Method of Infection

This worm spreads by copying the following files to removable USB media.

  • autorun.inf
  • CN911.exe (copy of the worm)

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm that spreads via removable USB media, and is also a rootkit.

Aliases:

Trojan-Downloader.Win32.VB.anf  (Kaspersky)
BackDoor.Generic.1563  (Doctor Web)
Win32/TrojanDownloader.VB.ANF  (ESET NOD32)
W32/UsbStorm.A.worm  (Panda)

Characteristics

Characteristics -

Note: File names and registry entries listed here may vary with different versions of the malware. Hence this is a generic description.

Upon execution, this malware copies inself into the following location.

  • C:\Windows\system32\internt.exe

This file is then executed and installed as a rootkit, such that its process is not visible under the process list.

It modifies the following registry entry for loading at system startup.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
    Data : C:\Windows\system32\userinit.exe, C:\Windows\system32\internt.exe

It then copies itself, along with an autorun.inf file, to all the removable USB media.

Symptoms

Symptoms -

Presence of the files and registry entries mentioned.

Method of Infection

Method of Infection -

This worm spreads by copying the following files to removable USB media.

  • autorun.inf
  • CN911.exe (copy of the worm)

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A