W32/Autorun.worm.cb

Content

W32/Autorun.worm.cb

Type: Virus
SubType: Worm
Discovery Date: 04/11/2008
Length: varies
Minimum DAT: 5272 (04/11/2008)
Updated DAT: 5353 (08/04/2008)
Minimum Engine: 5.1.00
Description Added: 04/11/2008
Description Modified: 04/11/2008 5:06 AM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update April 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9075438&taxonomyId=82&intsrc=kc_top

--

This detection is for a worm that spreads by copying itself to other drives, and also downloads additional malware.

On execution, this worm copies itself into the %Temp% folder.

%Temp%\WinUpdter.exe

The worm then launches a new instance of svchost.exe, and injects itself into this process.

It then connects to the following sites, probably to download additional malware.

61.220.112.238
202.142.180.165
203.118.40.36

at the time of writing this description, the above websites were unresponsive.

The worm adds the following registry key to load itself at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdater"
Data: %Temp%\WinUpdter.exe

The worm adds following registry keys to disable displaying of hidden files.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "ShowSuperHidden"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Advanced "Explorer"

Additionally, this worm may also add an "autorun.inf" file in the root of C-drive.

Symptoms

Presence of files and registry keys mentioned above.
Network traffic, connecting to the sites mentioned.

Method of Infection

This worm primarily spreads by infected removable drives.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This detection is for a worm that spreads by copying itself to other drives, and also downloads additional malware.

Aliases

W32.SillyFDC (Symantec)

W32/AutoRun.KB!worm (Fortinet)

Win32/AutoRun.KB (NOD32)

Worm.Win32.AutoRun.dgv (Kaspersky)

Worm:Win32/Silly.P (Microsoft)

Characteristics

Characteristics -

This detection is for a worm that spreads by copying itself to other drives, and also downloads additional malware.

On execution, this worm copies itself into the %Temp% folder.

%Temp%\WinUpdter.exe

The worm then launches a new instance of svchost.exe, and injects itself into this process.

It then connects to the following sites, probably to download additional malware.

61.220.112.238
202.142.180.165
203.118.40.36

at the time of writing this description, the above websites were unresponsive.

The worm adds the following registry key to load itself at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdater"
Data: %Temp%\WinUpdter.exe

The worm adds following registry keys to disable displaying of hidden files.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "ShowSuperHidden"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Advanced "Explorer"

Additionally, this worm may also add an "autorun.inf" file in the root of C-drive.

Symptoms

Symptoms -

Presence of files and registry keys mentioned above.
Network traffic, connecting to the sites mentioned.

Method of Infection

Method of Infection -

This worm primarily spreads by infected removable drives.

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content