1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Worm:W32/AutoIt.Q

Name : Worm:W32/AutoIt.Q
Detection Names : Win32.Worm.AutoIt
Size:485692
Category:Malware
Type:Worm
Platform:W32
Date of Discovery:November 24, 2008

Summary

This malware spreads by copying itself to removable devices and replacing the autorun.inf of the device with its own copy to ensure automatic execution.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Details


File System Changes
Creates these files:

  •  %windir%\system32\csrcs.exe
  •  %temp%\suicide.bat


Modified these files:

  •  %temp%\aut1.tmp
  •  %temp%\
  •  %temp%\aut2.tmp
  •  %temp%\



Process Changes
Creates these processes:

  •  %windir%\system32\csrcs.exe
  •  %windir%\system32\cmd.exe
  •  %windir%\system32\ping.exe


Creates these mutexes:

  •  6E523163793968624



Registry Modifications
Sets these values:

  •  HKLM\Software\Microsoft\DRM\amty
        ilop = 1
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MUICache\
        C:\WINDOWS\system32\csrcs.exe =
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
        csrcs = C:\WINDOWS\system32\csrcs.exe
  •  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
        Shell = Explorer.exe csrcs.exe
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
        Hidden = 4718592
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
        SuperHidden = 4718706
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
        ShowSuperHidden = 4718706
  •  HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
        CheckedValue = 6553701
  •  HKLM\Software\Microsoft\DRM\amty
        fix =
  •  HKLM\Software\Microsoft\DRM\amty
        fix1 = 1


Creates these keys:

  •  HKLM\Software\Microsoft\DRM\amty


Additional Details

The file called suicide.bat is an installation helper file that deletes the original malware file. It performs a ping loopback on the system to check for the presence of a functioning network card.

After completing its routine, the batch file deletes itself.