Content

W32/Autorun.worm.h

Type
Virus
SubType
Worm
Discovery Date
07/05/2007
Length
varies
Minimum DAT
5068 (07/05/2007)
Updated DAT
5665 (07/03/2009)
Minimum Engine
5.1.00
Description Added
07/05/2007
Description Modified
12/20/2007 2:15 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a worm.
It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

The following registry keys are created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "comstr"="\"C:\\WINDOWS\\system32\\comstr.exe\""

The following files are written to root of writeable volumes:

  • AUTORUN.INF
  • BOOT.VBS
  • HP.EXE
  • SYSTEMM7.EXE

The following files are also written to the infected system:

  • %WINDIR%\SYSTEMM7.EXE
  • %WINDIR%\SYSTEM32\COMSTR.EXE
  • %WINDIR%\SYSTEM32\SYSTEMM7.EXE

Symptoms

Existence of mentioned files and registry keys

Method of Infection

This worm may be spread by its intented method of infected removable drives.

Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Characteristics

Characteristics -

This detection is for a worm.
It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

The following registry keys are created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "comstr"="\"C:\\WINDOWS\\system32\\comstr.exe\""

The following files are written to root of writeable volumes:

  • AUTORUN.INF
  • BOOT.VBS
  • HP.EXE
  • SYSTEMM7.EXE

The following files are also written to the infected system:

  • %WINDIR%\SYSTEMM7.EXE
  • %WINDIR%\SYSTEM32\COMSTR.EXE
  • %WINDIR%\SYSTEM32\SYSTEMM7.EXE

Symptoms

Symptoms -

Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

This worm may be spread by its intented method of infected removable drives.

Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A