Trojan:W32/Autoit.BN is a trojan that copies itself to USB memory sticks, deletes anti-virus software, and changes system settings.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When executed, AutoIt.BN copies itself to the following location on the hard drive:
Note: %Windir% represents the default Windows folder.
AutoIt.BN also copies itself to removable drives as a file called system.exe.
Additionally it also makes another copy of itself to removable drives with which it tries to impersonate a pre-existing folder. The trojan alphabetically searches the root folder of removable drives for the first entry that has no file extension. It then copies itself to the same root folder using the name of the folder it discovers and uses a file extension of EXE.
The folder the trojan impersonates will be set as a hidden file. This masquerade is improved by changing the registry in such a way that known file extensions are hidden so that the EXE extension is not visible. Hidden files are not visible in Explorer even if the system user adjusts the folder options to show hidden files.
The trojan does not necessarily "replace" a folder, as files do not always have an extension. The fact the trojan's icon resembles a folder implies that the intent of the author was to replace folders.
Once run, Trojan:W32/AutoIt.BN checks the currently running processes for the following programs:
If any of the programs are running the trojan restarts the computer.
The following processes will be terminated by the trojan:
Interestingly, handydriver.exe, kerneldrive.exe, and winsystem.exe are often used by other malicious programs. Trojan:W32/AutoIt.BN also deletes the autorun.inf file from fixed drives so it is possible the trojan is attempting to dominate other autorun malware.
The following registry entries are set:
The purpose of the registry modifications is to make detecting and removing the trojan more difficult. The last entry in the list executes the trojan at startup so it gets run when the infected computer is booted.
The following registry entries are deleted:
The following files are deleted:
By deleting the three files and removing two of its registry keys the trojan tries to render NOD32 antivirus program inoperable. Trojan:W32/AutoIt.BN remains memory resident once executed and repeats all operations every 40 seconds, making manual disinfection very difficult while the trojan is running.