Content

W32/Autorun.worm.g!f9007a93

Type
Virus
SubType
Worm
Discovery Date
12/12/2007
Length
229,489 bytes
Minimum DAT
5185 (12/13/2007)
Updated DAT
5185 (12/13/2007)
Minimum Engine
5.1.00
Description Added
12/12/2007
Description Modified
12/12/2007 10:31 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

When run, the following files are created:

  • %Windir%\autorun.inf
  • %Windir%\Funny UST Scandal.exe
  • %Windir%\xmss.exe
  • C:\autorun.inf
  • C:\Funny UST Scandal.avi.exe
  • C:\xmss.exe
  • X:\autorun.inf
  • X:\Funny UST Scandal.avi.exe
  • X:\xmss.exe

(Where %Windir% refers to the Windows folder, e.g. C:\Windows; and X: is  drive letter(s) used by a removable or network drive)

The following registry key(s) are created to execute this worm at Windows Explorer start-up:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe, xmss.exe"

It goes on to modify the following sytem configurations to disable the display of hidden files and "Autoplay" feature on all drives:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0x000000FF"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0x00000000"

This worm variant may also terminate certain running processes including:

  • Task Manager (taskmgr.exe)
  • Command Prompt (cmd.exe)
  • Process Explorer (procxp.exe)
  • etc.

 

Symptoms

  • Presence of the mentioned file(s)/registry key(s)
  • Unexpected termination of running processes
  • Unexpected program executation from removable or network drive(s)
  • Executable file displaying .avi extension and AVI movie icon:

 

Method of Infection

This worm can propagate over removable media and network drives and cause the automatic execution of malicious code via an autorun.inf file.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

 

Aliases

  • virus.win32.autorun.abt (Kaspersky)
  • w32/autorun.fj.worm (Panda)
  • worm:win32/autorun.m (Microsoft)

Characteristics

Characteristics -

This is a worm which can propagate over removable media and network drives and cause execution of malicious code via an autorun.inf file.

When run, the following files are created:

  • %Windir%\autorun.inf
  • %Windir%\Funny UST Scandal.exe
  • %Windir%\xmss.exe
  • C:\autorun.inf
  • C:\Funny UST Scandal.avi.exe
  • C:\xmss.exe
  • X:\autorun.inf
  • X:\Funny UST Scandal.avi.exe
  • X:\xmss.exe

(Where %Windir% refers to the Windows folder, e.g. C:\Windows; and X: is  drive letter(s) used by a removable or network drive)

The following registry key(s) are created to execute this worm at Windows Explorer start-up:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe, xmss.exe"

It goes on to modify the following sytem configurations to disable the display of hidden files and "Autoplay" feature on all drives:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "0x000000FF"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0x00000000"

This worm variant may also terminate certain running processes including:

  • Task Manager (taskmgr.exe)
  • Command Prompt (cmd.exe)
  • Process Explorer (procxp.exe)
  • etc.

 

Symptoms

Symptoms -

  • Presence of the mentioned file(s)/registry key(s)
  • Unexpected termination of running processes
  • Unexpected program executation from removable or network drive(s)
  • Executable file displaying .avi extension and AVI movie icon:

 

Method of Infection

Method of Infection -

This worm can propagate over removable media and network drives and cause the automatic execution of malicious code via an autorun.inf file.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A