Trojan:W32/Autoit.BN is a trojan that copies itself to USB memory sticks, deletes anti-virus software, and changes system settings.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When executed, AutoIt.BN copies itself to the following location on the hard drive:
Note: %Windir% represents the default Windows folder.
AutoIt.BN also copies itself to removable drives as a file called system.exe.
Additionally it also makes another copy of itself to removable drives with which it tries to impersonate a pre-existing folder. The trojan alphabetically searches the root folder of removable drives for the first entry that has no file extension. It then copies itself to the same root folder using the name of the folder it discovers and uses a file extension of EXE.
The folder the trojan impersonates will be set as a hidden file. This masquerade is improved by changing the registry in such a way that known file extensions are hidden so that the EXE extension is not visible. Hidden files are not visible in Explorer even if the system user adjusts the folder options to show hidden files.
The trojan does not necessarily "replace" a folder, as files do not always have an extension. The fact the trojan's icon resembles a folder implies that the intent of the author was to replace folders.
Once run, Trojan:W32/AutoIt.BN checks the currently running processes for the following programs:
If any of the programs are running the trojan restarts the computer.
The following processes will be terminated by the trojan:
Interestingly, handydriver.exe, kerneldrive.exe, and winsystem.exe are often used by other malicious programs. Trojan:W32/AutoIt.BN also deletes the autorun.inf file from fixed drives so it is possible the trojan is attempting to dominate other autorun malware.
The following registry entries are set:
The purpose of the registry modifications is to make detecting and removing the trojan more difficult. The last entry in the list executes the trojan at startup so it gets run when the infected computer is booted.
The following registry entries are deleted:
The following files are deleted:
By deleting the three files and removing two of its registry keys the trojan tries to render NOD32 antivirus program inoperable. Trojan:W32/AutoIt.BN remains memory resident once executed and repeats all operations every 40 seconds, making manual disinfection very difficult while the trojan is running.