Content

W32/Autorun.worm.zu

Type
Virus
SubType
Worm
Discovery Date
01/23/2009
Length
Varies
Minimum DAT
5504 (01/23/2009)
Updated DAT
6401 (07/08/2011)
Minimum Engine
5.2.00
Description Added
01/23/2009
Description Modified
02/03/2009 2:02 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update February 3, 2009 --
The risk assessment of this threat was updated to Low-Profiled due to media attention:

http://www.theregister.co.uk/2009/02/02/google_video_search_poisoned/

When executed, the worm drops the following files:

It then creates a folder named "resycled" and places a file named "ntldr.com" in this folder, along with an "autorun.inf" configuration file in all fixed and removable devices.

The worm also creates the following registry keys:

  • HKEY_Local_Machine\Software\Classes\aquaplay\CLSID
    (Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
  • HKEY_Local_Machine\Software\Classes\gaopdxvx

Note:

  • %System% is a variable that refers to the System folder
    By default, this is C:\Windows\System32 for Windows XP
  • %Temp% is a variable that refers to temp folder.
    By default, this is C:\Documents and settings\User\Local Settings\Temp

The worm then attempts to connect to 94.247.2.193 on port 80. This could be to post information about the infected machine to the attackers site.

Symptoms

  • Presence of files and registry entries mentioned earlier
  • Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

This worm is dropped by W32/Autorun.worm.zu.dr. This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants

    N/A

All Information

Overview -

This description is for a worm that is capable of spreading through removable devices and network shares.

The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.

Aliases

  • Mal/Alureon-C [Sophos]
  • Packed.Win32.Tdss.a [Kaspersky]
  • Trojan.Win32.Nodef.alk [Rising]
  • Trojan:Win32/Alureon.gen!J [Microsoft]
  • WORM_AQPLAY.A [Trend Micro]

Characteristics

Characteristics -

--- Update February 3, 2009 --
The risk assessment of this threat was updated to Low-Profiled due to media attention:

http://www.theregister.co.uk/2009/02/02/google_video_search_poisoned/

When executed, the worm drops the following files:

It then creates a folder named "resycled" and places a file named "ntldr.com" in this folder, along with an "autorun.inf" configuration file in all fixed and removable devices.

The worm also creates the following registry keys:

  • HKEY_Local_Machine\Software\Classes\aquaplay\CLSID
    (Default) = "{6BF52A52-394A-11D3-B153-00C04F79FAA6}"
  • HKEY_Local_Machine\Software\Classes\gaopdxvx

Note:

  • %System% is a variable that refers to the System folder
    By default, this is C:\Windows\System32 for Windows XP
  • %Temp% is a variable that refers to temp folder.
    By default, this is C:\Documents and settings\User\Local Settings\Temp

The worm then attempts to connect to 94.247.2.193 on port 80. This could be to post information about the infected machine to the attackers site.

Symptoms

Symptoms -

  • Presence of files and registry entries mentioned earlier
  • Presence of the following autorun.inf file on the root of removable and fixed drives:

Method of Infection

Method of Infection -

This worm is dropped by W32/Autorun.worm.zu.dr. This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants

Variants -

    N/A