Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Worm:W32/AutoRun.NOI
[Summary] | [Additional Details]

Name : Worm:W32/AutoRun.NOI
Detection Names : Worm.Win32.AutoRun.noi
Aliases : W32/Autorun-jl (Sophos)
Generic.dx trojan (McAfee)
WORM_AUTORUN.RC (Trend Micro)
W32.SillyFDC (Symantec)
Worm:Win32/Emold.C (Microsoft)
Type:Worm
Category:Malware
Platform:W32
Radar

Summary
AutoRun worm.
Back to the Top

Additional Details
Worm.Win32.AutoRun.noi creates a copy of itself as the following:

  • C:\Program Files\Microsoft Common\wuauclt.exe

It creates the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
    Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe

Note: The key is created for automatic execution when explorer.exe is launched.

It also drops two files into the root of available removable drives:

  • autorun.inf
  • system.exe

It then injects codes to explorer.exe.

The autorun.inf file is an autorun file of system.exe and contains the following strings:

  • [autorun]
    open=system.exe
    shellexecute=system.exe
    shell\Explore\command=system.exe
    shell\Open\command=system.exe
    shell=Explore

Worm.Win32.AutoRun.noi attempts to retrieve information from:

  • http://druzg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
  • http://drizg.ru/[...].php?v=1&rs=13441600&n=1&uid=1

The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.
Back to the Top



F-Secure Corporation

Last Modified: October 17, 2008