Where You Are

Worm:W32/AutoIt.Q


Name :	Worm:W32/AutoIt.Q
Size:	485692
Category:	Malware
Type:	Worm
Platform:	W32
Date of Discovery:	November 24, 2008

Summary

This malware spreads by copying itself to removable devices and replacing the autorun.inf of the device with its own copy to ensure automatic execution.

Details

File System Changes
Creates these files:

• %windir%\system32\csrcs.exe

• %temp%\suicide.bat

Modified these files:

• %temp%\aut1.tmp

• %temp%\

• %temp%\aut2.tmp

• %temp%\

Process Changes
Creates these processes:

• %windir%\system32\csrcs.exe

• %windir%\system32\cmd.exe

• %windir%\system32\ping.exe

Creates these mutexes:

• 6E523163793968624

Registry Modifications
Sets these values:

• HKLM\Software\Microsoft\DRM\amty
ilop = 1

• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MUICache\
C:\WINDOWS\system32\csrcs.exe =

• HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs = C:\WINDOWS\system32\csrcs.exe

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = Explorer.exe csrcs.exe

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 4718592

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 4718706

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = 4718706

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 6553701

• HKLM\Software\Microsoft\DRM\amty
fix =

• HKLM\Software\Microsoft\DRM\amty
fix1 = 1

Creates these keys:

• HKLM\Software\Microsoft\DRM\amty

Additional Details

The file called suicide.bat is an installation helper file that deletes the original malware file. It performs a ping loopback on the system to check for the presence of a functioning network card.

After completing its routine, the batch file deletes itself.

Tools

Choose location:

Navigation

Subnavigation

Security Lab

Worm:W32/AutoIt.Q

Summary

Details

Additional Details