F-Secure
Tools
Worm:W32/AutoIt.Q
Summary
This malware spreads by copying itself to removable devices and replacing the autorun.inf of the device with its own copy to ensure automatic execution.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Details
File System Changes
Creates these files:
- %windir%\system32\csrcs.exe
- %temp%\suicide.bat
Modified these files:
- %temp%\aut1.tmp
- %temp%\
- %temp%\aut2.tmp
- %temp%\
Process Changes
Creates these processes:
- %windir%\system32\csrcs.exe
- %windir%\system32\cmd.exe
- %windir%\system32\ping.exe
Creates these mutexes:
- 6E523163793968624
Registry Modifications
Sets these values:
- HKLM\Software\Microsoft\DRM\amty
ilop = 1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MUICache\
C:\WINDOWS\system32\csrcs.exe = - HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs = C:\WINDOWS\system32\csrcs.exe - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe csrcs.exe - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 4718592 - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 4718706 - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 4718706 - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 6553701 - HKLM\Software\Microsoft\DRM\amty
fix = - HKLM\Software\Microsoft\DRM\amty
fix1 = 1
Creates these keys:
- HKLM\Software\Microsoft\DRM\amty
Additional Details
The file called suicide.bat is an installation helper file that deletes the original malware file. It performs a ping loopback on the system to check for the presence of a functioning network card.
After completing its routine, the batch file deletes itself.
After completing its routine, the batch file deletes itself.