McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further.While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan-Downloader.Win32.AutoIt.ai (Kaspersky)

Characteristics

This detection is for a worm written with AutoIt script, compiled as stand-alone executable.

The worm try to copy itself to the following :

• C:\WINDOWS\Document1.exe
• D:\Document1.exe
• E:\Document1.exe
• F:\Document1.exe
• G:\Document1.exe
• H:\Document1.exe
• I:\Document1.exe
• J:\Document1.exe
• K:\Document1.exe
• L:\Document1.exe

Send the following files to the recycle bin if possible:

• D:\autorun.inf
• E:\autorun.inf
• F:\autorun.inf
• G:\autorun.inf
• H:\autorun.inf
• I:\autorun.inf
• J:\autorun.inf
• K:\autorun.inf
• L:\autorun.inf

And then copy "C:\WINDOWS\autorun.inf" to the following :

• D:\autorun.inf
• E:\autorun.inf
• F:\autorun.inf
• G:\autorun.inf
• H:\autorun.inf
• I:\autorun.inf
• J:\autorun.inf
• K:\autorun.inf
• L:\autorun.inf

Try to set the following files' attributes:

• "C:\WINDOWS\Document1.exe", "+RASH"
• "C:\WINDOWS\autorun.inf", "+RASH"
• "D:\Document1.exe", "-SH"
• "E:\Document1.exe", "-SH"
• "F:\Document1.exe", "-SH"
• "G:\Document1.exe", "-SH"
• "H:\Document1.exe", "-SH"
• "I:\Document1.exe", "-SH"
• "J:\Document1.exe", "-SH"
• "K:\Document1.exe", "-SH"
• "L:\Document1.exe", "-SH"
• "D:\autorun.inf", "+RASH"
• "E:\autorun.inf", "+RASH"
• "F:\autorun.inf", "+RASH"
• "G:\autorun.inf", "+RASH"
• "H:\autorun.inf", "+RASH"
• "I:\autorun.inf", "+RASH"
• "J:\autorun.inf", "+RASH"
• "K:\autorun.inf", "+RASH"
• "L:\autorun.inf", "+RASH"

"R" = READONLY
"A" = ARCHIVE
"S" = SYSTEM
"H" = HIDDEN

The following registry key are created

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Document1="C:\WINDOWS\ .exe"

Symptoms

Existence of the files/Registry keys detailed above

Method of Infection

This worm may be spread by its intented method of infected removable drives.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further.While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan-Downloader.Win32.AutoIt.ai (Kaspersky)

Characteristics

Characteristics -

This detection is for a worm written with AutoIt script, compiled as stand-alone executable.

The worm try to copy itself to the following :

• C:\WINDOWS\Document1.exe
• D:\Document1.exe
• E:\Document1.exe
• F:\Document1.exe
• G:\Document1.exe
• H:\Document1.exe
• I:\Document1.exe
• J:\Document1.exe
• K:\Document1.exe
• L:\Document1.exe

Send the following files to the recycle bin if possible:

• D:\autorun.inf
• E:\autorun.inf
• F:\autorun.inf
• G:\autorun.inf
• H:\autorun.inf
• I:\autorun.inf
• J:\autorun.inf
• K:\autorun.inf
• L:\autorun.inf

And then copy "C:\WINDOWS\autorun.inf" to the following :

• D:\autorun.inf
• E:\autorun.inf
• F:\autorun.inf
• G:\autorun.inf
• H:\autorun.inf
• I:\autorun.inf
• J:\autorun.inf
• K:\autorun.inf
• L:\autorun.inf

Try to set the following files' attributes:

• "C:\WINDOWS\Document1.exe", "+RASH"
• "C:\WINDOWS\autorun.inf", "+RASH"
• "D:\Document1.exe", "-SH"
• "E:\Document1.exe", "-SH"
• "F:\Document1.exe", "-SH"
• "G:\Document1.exe", "-SH"
• "H:\Document1.exe", "-SH"
• "I:\Document1.exe", "-SH"
• "J:\Document1.exe", "-SH"
• "K:\Document1.exe", "-SH"
• "L:\Document1.exe", "-SH"
• "D:\autorun.inf", "+RASH"
• "E:\autorun.inf", "+RASH"
• "F:\autorun.inf", "+RASH"
• "G:\autorun.inf", "+RASH"
• "H:\autorun.inf", "+RASH"
• "I:\autorun.inf", "+RASH"
• "J:\autorun.inf", "+RASH"
• "K:\autorun.inf", "+RASH"
• "L:\autorun.inf", "+RASH"

"R" = READONLY
"A" = ARCHIVE
"S" = SYSTEM
"H" = HIDDEN

The following registry key are created

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Document1="C:\WINDOWS\ .exe"

Symptoms

Symptoms -

Existence of the files/Registry keys detailed above

Method of Infection

Method of Infection -

This worm may be spread by its intented method of infected removable drives.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A