Content

W32/Autorun.worm.eb

Type
Virus
SubType
Worm
Discovery Date
08/27/2008
Length
Minimum DAT
5371 (08/27/2008)
Updated DAT
5371 (08/27/2008)
Minimum Engine
5.1.00
Description Added
08/27/2008
Description Modified
08/27/2008 1:32 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Autorun.worm.eb is a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Upon execution, the W32/Autorun.worm.eb virus copies itself to :

  • %WinDir%\userinit.exe
  • %WinDir%\system32\system.exe

The following files are written to the root of writeable volumes :

  • Autorun.inf
  • System Volume Information.exe

The following file is created :

  • %WinDir%\kdcoms.dll

This file contains the following text 'Do not kill me...please'.

Upon exection, the following registry elements are changed :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

  • hidefileext = 1
  • supperhidden = 0
  • hidden = 2

The W32/Autorun.worm.eb also overwrites the following file :

  • %WinDir%\system32\drivers\etc\hosts

 

Symptoms

Presence of the above files

Method of Infection

This worm may be spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Autorun.worm.eb is a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Characteristics

Characteristics -

W32/Autorun.worm.eb is a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Upon execution, the W32/Autorun.worm.eb virus copies itself to :

  • %WinDir%\userinit.exe
  • %WinDir%\system32\system.exe

The following files are written to the root of writeable volumes :

  • Autorun.inf
  • System Volume Information.exe

The following file is created :

  • %WinDir%\kdcoms.dll

This file contains the following text 'Do not kill me...please'.

Upon exection, the following registry elements are changed :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

  • hidefileext = 1
  • supperhidden = 0
  • hidden = 2

The W32/Autorun.worm.eb also overwrites the following file :

  • %WinDir%\system32\drivers\etc\hosts

 

Symptoms

Symptoms -

Presence of the above files

Method of Infection

Method of Infection -

This worm may be spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A