Content

W32/Autorun.worm.cp

Type
Virus
SubType
Worm
Discovery Date
05/14/2008
Length
various
Minimum DAT
5295 (05/14/2008)
Updated DAT
5793 (11/05/2009)
Minimum Engine
5.2.00
Description Added
05/14/2008
Description Modified
04/22/2009 2:02 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics


W32/Autorun.worm.cp is a worm, which attempts to spread to removable drives or shared folders by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

Upon execution, the worm creates the following files:

  • %USER_PROFILE%\Application Data\Game Over¿¿¿1630.txt
  • %USER_PROFILE%\autorun.inf
  • %USER_PROFILE%\VenoM
  • %WinDir%\SVCHOST.EXE

(where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It drops the following files in the root of every driver and shared folders:

  • [Drive]:\autorun.inf
  • [Drive]:\Death the [USER_NAME].exe

(if the current user is Administrator, then the file name is Death the Administrator.exe.)

  • [Drive]:\VenoM.666\VENOM.EXE

It adds or modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VenoM: "%WinDir\SVCHOST.EXE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

Symptoms

Existence of mentioned files and registry keys

Method of Infection

This worm may be spread via removable drives and shared folders.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Characteristics

Characteristics -


W32/Autorun.worm.cp is a worm, which attempts to spread to removable drives or shared folders by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

Upon execution, the worm creates the following files:

  • %USER_PROFILE%\Application Data\Game Over¿¿¿1630.txt
  • %USER_PROFILE%\autorun.inf
  • %USER_PROFILE%\VenoM
  • %WinDir%\SVCHOST.EXE

(where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.)
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It drops the following files in the root of every driver and shared folders:

  • [Drive]:\autorun.inf
  • [Drive]:\Death the [USER_NAME].exe

(if the current user is Administrator, then the file name is Death the Administrator.exe.)

  • [Drive]:\VenoM.666\VENOM.EXE

It adds or modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VenoM: "%WinDir\SVCHOST.EXE"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000002
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

Symptoms

Symptoms -

Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

This worm may be spread via removable drives and shared folders.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A