Content
W32/Autorun.worm.g
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 07/03/2007
- Length
- 224,340 bytes
- Minimum DAT
- 5067 (07/04/2007)
- Updated DAT
- 5297 (05/16/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 07/03/2007
- Description Modified
- 07/03/2007 8:23 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/
This detection is for a worm which attempts to spread to removable drives by creating an Autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.
When the worm is executed, the following error message is shown:
If there is no removable drive present on the machine, the following error message will be shown repeatedly:
Once the final error message is exited, the system will reboot itself automatically. When the system is restarted, a batch file is run to show the following text:
The worm creates the following files:
- c:\autorun.inf (171 bytes)
- c:\harry potter.txt (379 bytes)
- c:\HarryPotter-TheDeathlyHallows.doc (23 bytes)
- c:\WINDOWS\Tasks\At1.job (386 bytes)
- c:\WINDOWS\Tempt\talk.bat (200 bytes)
It also creates the following registry entries, to disable Windows Firewall:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
It modifies the following registry entries to disable access to various system features:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoShellSearchButton" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayContextMenu" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayItemsDisplay" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoViewContextMenu" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = 1
These changes make a number of things inaccessible on an infected system (e.g. diagnostic tools such as Regedit and TaskManager cannot be used, the clock and Systray are both hidden). It will also make it so files cannot be run from Explorer, though they may still be run from the Start menu.
The Internet Explorer startpage is modified to point to an Amazon.com page for a book which is a parody of Harry Potter series.
The ProductID an Registered Owner are changed as follows:
- ProductID = HARRY-POT-TERHATE-SYOU1
- RegisteredOwner = Harry Potter
It also creates the following user profiles:
- Harry-Potter
- Hermione-Granger
- Ron-Weasely
Symptoms
- The errror messages indicated previously
- The infected system becomes drastically changed, with references to Harry Potter
- User profiles, as mentioned previously, appearing unexpectedly
Method of Infection
This worm may come via a spammed email or malicious link, or it may be spread by its intended method of infected removable drives.Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/
This detection is for a worm which purports to provide details of the upcoming Harry Potter book, but makes significant system changes that render it largely unusable. It also tries to copy itself to removable drives such that if they are set to Autorun, it will infect systems it's used on.
Characteristics
Characteristics -
-- Update July 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/02/harry_potter_worm/
This detection is for a worm which attempts to spread to removable drives by creating an Autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.
When the worm is executed, the following error message is shown:
If there is no removable drive present on the machine, the following error message will be shown repeatedly:
Once the final error message is exited, the system will reboot itself automatically. When the system is restarted, a batch file is run to show the following text:
The worm creates the following files:
- c:\autorun.inf (171 bytes)
- c:\harry potter.txt (379 bytes)
- c:\HarryPotter-TheDeathlyHallows.doc (23 bytes)
- c:\WINDOWS\Tasks\At1.job (386 bytes)
- c:\WINDOWS\Tempt\talk.bat (200 bytes)
It also creates the following registry entries, to disable Windows Firewall:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
It modifies the following registry entries to disable access to various system features:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "HideClock" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFind" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoRun" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoShellSearchButton" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayContextMenu" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoTrayItemsDisplay" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoViewContextMenu" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoViewContextMenu" = 1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = 1
These changes make a number of things inaccessible on an infected system (e.g. diagnostic tools such as Regedit and TaskManager cannot be used, the clock and Systray are both hidden). It will also make it so files cannot be run from Explorer, though they may still be run from the Start menu.
The Internet Explorer startpage is modified to point to an Amazon.com page for a book which is a parody of Harry Potter series.
The ProductID an Registered Owner are changed as follows:
- ProductID = HARRY-POT-TERHATE-SYOU1
- RegisteredOwner = Harry Potter
It also creates the following user profiles:
- Harry-Potter
- Hermione-Granger
- Ron-Weasely
Symptoms
Symptoms -
- The errror messages indicated previously
- The infected system becomes drastically changed, with references to Harry Potter
- User profiles, as mentioned previously, appearing unexpectedly
Method of Infection
Method of Infection -
This worm may come via a spammed email or malicious link, or it may be spread by its intended method of infected removable drives.Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
