1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Worm:W32/AutoRun.NOI

Name : Worm:W32/AutoRun.NOI
Detection Names : Worm.Win32.AutoRun.noi
Aliases : W32/Autorun-jl (Sophos)
Generic.dx trojan (McAfee)
WORM_AUTORUN.RC (Trend Micro)
W32.SillyFDC (Symantec)
Worm:Win32/Emold.C (Microsoft)
Category:Malware
Type:Worm
Platform:W32

Summary

AutoRun worm.

Additional Details

Worm.Win32.AutoRun.noi creates a copy of itself as the following:

  • C:\Program Files\Microsoft Common\wuauclt.exe

It creates the following registry key:

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe

Note: The key is created for automatic execution when explorer.exe is launched.

It also drops two files into the root of available removable drives:

  • autorun.inf
  • system.exe

It then injects codes to explorer.exe.

The autorun.inf file is an autorun file of system.exe and contains the following strings:

  • [autorun]
open=system.exe
shellexecute=system.exe
shell\Explore\command=system.exe
shell\Open\command=system.exe
shell=Explore

Worm.Win32.AutoRun.noi attempts to retrieve information from:

  • http://druzg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
  • http://drizg.ru/[...].php?v=1&rs=13441600&n=1&uid=1

The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.