Skip to main content

Choose your country

Worm:W32/Autorun.BHX

Classification

Category:

Malware

Platform:

W32

Type:

Worm

Aliases:

  • Worm.Win32.AutoRun.bhx

Summary

Worm:W32/Autorun.BHX spreads by copying itself to removable drives and attempts to steal username and password information for several different online games.

Removal

Technical Details

Worm:W32/Autorun.BHX attempts to spread by copying itself to removable drives as xadeiect.com.For more information on the Autorun infection method see our Worm:W32/Autorun family description.The primary payload for Autorun.BHX is to steal username and password information for online games.The following games are among the targeted:
  • Dekaron
  • MapleStory
  • Perfect World
  • Ragnarok Online
  • Seal Online
  • Yulgang
  • Zheng Tu Online

File System Changes

Creates these files:
  • %temp%\n2mmf2qu.dll
  • %windir%\system32\kavo.exe
  • %windir%\system32\kavo0.dll
Modified these files:
  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys
Uses these temporary files:
  • %temp%\6itt.sys
  • %windir%\system32\wincab.sys

Network Connections

Attempts to download files from:
  • https://www.microsofttw.com/jj/[REMOVED].rar

Registry Modifications

Sets these values:
  • HKLM\System\CurrentControlSet\Services\athyd Type = 00000001 Start = 00000003 ErrorControl = 00000001 ImagePath = \??\C:\WINDOWS\system32\wincab.sys DisplayName = athyd by %windir%\system32\services.exe (PID:652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security Security = \x01\x00\x14\x80\x90\x00\x00\x00\x9C\x00\x00\x00\x14\x00\x00\x00\x30\x00\x00\x00\x02\x00\x1C\x00\x01\x00\x00\x00\x02\x80\x14\x00\xFF\x01\x0F\x00\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x02\x00\x60\x00\x04\x00\x00\x00\x00\x00\x14\x00\xFD\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x00\x18\x00\xFF\x01\x0F\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x00\x14\x00\x8D\x01\x02\x00\x01\x01\x00\x00\x00\x00\x00\x05\x0B\x00\x00\x00\x00\x00\x18\x00\xFD\x01\x02\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x23\x02\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00 by %windir%\system32\services.exe (PID:652)
  • HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Run kava = C:\WINDOWS\system32\kavo.exe by %cwd%\sample.exe (PID:1548) [Launchpoint: Run]
Creates these keys:
  • HKLM\System\CurrentControlSet\Services\athyd by services.exe (PID: 652)
  • HKLM\System\CurrentControlSet\Services\athyd\Security by services.exe (PID: 652)

Stealth Features

Installs these hooks:
  • ntoskrnl.exe!NtOpenProcess SSDT hook to 0xf87f07d0 in %windir%\system32\wincab.sys Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateValueKey SSDT hook to 0xf87f09a2 in %windir%\system32\wincab.sys Kernel process (PID: 0)
  • ntoskrnl.exe!NtEnumerateKey SSDT hook to 0xf87f0aae in %windir%\system32\wincab.sys Kernel process (PID: 0)

Protect your devices from malware with F‑Secure Total

Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.

  • Award‑winning antivirus and malware protection
  • Online browsing, banking, and shopping protection
  • 24/7 online identity and data breach monitoring
  • Unlimited VPN service to safe­guard your privacy
  • Password manager with private data protection

Choose how many devices you want to protect to get started.

  • Free customer support
  • Cancel anytime
  • The trial does not obligate you to buy the product
Try Total 30 days for free

After 30 days your subscription will renew automatically for one year at €69.99.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.