1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Worm:W32/Autorun.GA

Worm:W32/Autorun.GA

Name : Worm:W32/Autorun.GA
Detection Names : Worm:W32/AutoRun.GA
Worm:W32/AutoRun.GA
Worm.Win32.AutoRun.mtw
Size:32768
Category:Malware
Type:Worm
Platform:W32
Date of Discovery:September 08, 2008

Summary

A standalone malicious program which uses computer or removable drives to make complete copies of itself.

Details


File System Changes
Creates these files:

  • C:\Program Files\Microsoft Common\wuauclt.exe



Process Changes
Writes in memory of these processes:

  • svchost.exe
  • explorer.exe



Network Connections
Attempts to connect to:

  • http://aaszxt.ru/load4/[...].php?v=1&rs=%u&uid=1
  • http://aaszxt.ru/load4/[...].php?v=1&id=%s&rs=%u&cc=0&uid=1
  • http://aaszxt.ru/load4/[...].php?v=1&rs=%u&n=1&uid=1
  • http://aaszxt.ru/load4/[...].php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
  • http://aaszxr.ru/loadx/[...].php?v=1&rs=%u&uid=1
  • http://aaszxr.ru/loadx/[...].php?v=1&id=%s&rs=%u&cc=0&uid=1
  • http://aaszxr.ru/loadx/[...].php?v=1&rs=%u&n=1&uid=1
  • http://aaszxr.ru/loadx/[...].php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1



Registry Modifications
Sets these values:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
C:\Program Files\Microsoft Common\wuauclt.exe


Additional Details

AutoRun.GA creates a copy of itself as the following:

  • C:\Program Files\Microsoft Common\wuauclt.exe

It will change the title of the process to "notepad window".

It also drops two files into the root of available removable drives:

  • autorun.inf
  • wuauclt.exe

It injects codes to svchost.exe and explorer.exe.

It looks for a service that will run manually and then temporarily replaces the driver with malicious driver. It then runs the service and the returns the original driver.

Launchpoint

  • Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Value: Debugger
Data: C:\Program Files\Microsoft Common\wuauclt.exe

This entry is created for automatic execution when explorer.exe is launched.

The autorun.inf file is an autorun file of wuauclt.exe and contains the following strings:

  • [autorun]
open=system.exe
shellexecute=system.exe
shell\Explore\command=system.exe
shell\Open\command=system.exe
shell=Explore

Stealth

The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.