|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Worm:W32/AutoRun.NOI

|
|
|
| Radar |
 |
|
|
|
Summary
|
| AutoRun worm. |
|
|
|
Additional Details
|
Worm.Win32.AutoRun.noi creates a copy of itself as the following:
- C:\Program Files\Microsoft Common\wuauclt.exe
It creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe
Note: The key is created for automatic execution when explorer.exe is launched.
It also drops two files into the root of available removable drives:
It then injects codes to explorer.exe.
The autorun.inf file is an autorun file of system.exe and contains the following strings:
- [autorun]
open=system.exe shellexecute=system.exe shell\Explore\command=system.exe shell\Open\command=system.exe shell=Explore Worm.Win32.AutoRun.noi attempts to retrieve information from:
- http://druzg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
- http://drizg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: October 17, 2008
|
|
|
|
|