Content

W32/Autorun.worm.av

Type
Virus
SubType
Worm
Discovery Date
11/29/2007
Length
Varies
Minimum DAT
5174 (11/29/2007)
Updated DAT
6304 (04/02/2011)
Minimum Engine
N/A
Description Added
11/29/2007
Description Modified
07/04/2008 12:39 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

The worm make copies of itself in one or more of the following location(s):

  • %SystemDrive%:\svchovst.exe (W32/Autorun.worm.av)
  • %Windir%\svchovst.exe (W32/Autorun.worm.av)
  • X:\bluefire.exe (W32/Autorun.worm.av)

(Where %SystemDrive% is the Windows system drive letter, e.g. C:, and %Windir% is the Windows folder, e.g. C:\Windows. X:\ refers to the drive letter(s) of removable and network drives.)

It will also create the following registry key(s) to execute the worm at system startup :

  • HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"winserver" = "%Windir%\svchovst.exe /svchovst:Kernel32.Dll"

In addition, the following key(s) are also created:

  • HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\svchovstc

 

Symptoms

  • Presence of the files/registry keys mentioned.

 

Method of Infection

This  worm attempts to copy itself to the root of any accessible disk volumes such as removable and network drive media.

 

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

 

Characteristics

Characteristics -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

The worm make copies of itself in one or more of the following location(s):

  • %SystemDrive%:\svchovst.exe (W32/Autorun.worm.av)
  • %Windir%\svchovst.exe (W32/Autorun.worm.av)
  • X:\bluefire.exe (W32/Autorun.worm.av)

(Where %SystemDrive% is the Windows system drive letter, e.g. C:, and %Windir% is the Windows folder, e.g. C:\Windows. X:\ refers to the drive letter(s) of removable and network drives.)

It will also create the following registry key(s) to execute the worm at system startup :

  • HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"winserver" = "%Windir%\svchovst.exe /svchovst:Kernel32.Dll"

In addition, the following key(s) are also created:

  • HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\svchovstc

 

Symptoms

Symptoms -

  • Presence of the files/registry keys mentioned.

 

Method of Infection

Method of Infection -

This  worm attempts to copy itself to the root of any accessible disk volumes such as removable and network drive media.

 

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A