W32/Autorun.worm.cw

Content

W32/Autorun.worm.cw

Type: Virus
SubType: Worm
Discovery Date: 05/29/2008
Length: 21153 bytes
Minimum DAT: 5306 (05/29/2008)
Updated DAT: 5307 (05/30/2008)
Minimum Engine: 5.1.00
Description Added: 05/29/2008
Description Modified: 05/29/2008 4:44 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This detection is for a worm that attempts to copy itself to the root of any accessible disk drive. Additionally it attempts to place an Autorun.inf file on the root of any accessible disk so that it is executed the next time the disk is mounted.

It attempts to spread to removable drives by creating an autorun.inf file, which will executes the worm automatically.

* The worm modifies image file execution option key for the following application to point to the worm. When any of the listed application is invoked by the user the worm is launched.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE

"Debugger" = %system%\1EXPL0RE.EXE

* This worm copies the following files as the part of it's installation routine.
    Files:
     %system%\1expl0re.exe (copy of the worm itself)
    %system%\bthcl.dll (legitimate urlmon.dll copied to bthc1.dll)

* Attempts to downloads variants of PWS-OnlineGames and PWS-WoW from www .baiduoo.com

* This worm also attempts to create an autorun.inf file on the root any accessible disk volumes.
[Drive]:\autorun.inf

* The autorun.inf will reference one of the following files that will also be written to the root of the volume.
    (Additional filenames may be found in other variants of this worm)
    [Drive]:\msdn.pif
    [Drive]:\rising.pif

Symptoms

Existence of mentioned files and registry keys.

Method of Infection

This worm may be spread by its intented method of infected removable drives.

Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

Aliases

Microsoft - TrojanDownloader:Win32/Small.gen!N

Sophos - Mal/Basine-C

Characteristics

Characteristics -

It attempts to spread to removable drives by creating an autorun.inf file, which will executes the worm automatically.

* Attempts to downloads variants of PWS-OnlineGames and PWS-WoW from www .baiduoo.com

* This worm also attempts to create an autorun.inf file on the root any accessible disk volumes.
[Drive]:\autorun.inf

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content