Home > Threat descriptions >



Category: Malware

Type: Trojan

Aliases: Trojan:W32/AutoIt.BN, Trojan.Win32.AutoIt.bn


Trojan:W32/Autoit.BN is a trojan that copies itself to USB memory sticks, deletes anti-virus software, and changes system settings.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


When executed, AutoIt.BN copies itself to the following location on the hard drive:

  • %windir%\system32\Microsoft\msmsgs.exe

Note: %Windir% represents the default Windows folder.

AutoIt.BN also copies itself to removable drives as a file called system.exe.

Additionally it also makes another copy of itself to removable drives with which it tries to impersonate a pre-existing folder. The trojan alphabetically searches the root folder of removable drives for the first entry that has no file extension. It then copies itself to the same root folder using the name of the folder it discovers and uses a file extension of EXE.

The folder the trojan impersonates will be set as a hidden file. This masquerade is improved by changing the registry in such a way that known file extensions are hidden so that the EXE extension is not visible. Hidden files are not visible in Explorer even if the system user adjusts the folder options to show hidden files.

The trojan does not necessarily "replace" a folder, as files do not always have an extension. The fact the trojan's icon resembles a folder implies that the intent of the author was to replace folders.


Once run, Trojan:W32/AutoIt.BN checks the currently running processes for the following programs:

  • Microsoft Management Console (mmc.exe)
  • Microsoft Restore Console (rstrui.exe)
  • Registry Editor (regedit.exe)
  • System Configuration utility (msconfig.exe)
  • Task Manager (taskmgr.exe)

If any of the programs are running the trojan restarts the computer.

The following processes will be terminated by the trojan:

  • cmd.exe
  • handydriver.exe
  • kerneldrive.exe
  • nod32krn.exe
  • nod32kui.exe
  • winsystem.exe
  • Wscript.exe

Interestingly, handydriver.exe, kerneldrive.exe, and winsystem.exe are often used by other malicious programs. Trojan:W32/AutoIt.BN also deletes the autorun.inf file from fixed drives so it is possible the trojan is attempting to dominate other autorun malware.

Registry Changes

The following registry entries are set:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SuperHidden = 00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = 00000000
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden = 00000002
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFind = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoFolderOptions = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgr = 00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryTools = 00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Microsoft\Msmsgs.exe

The purpose of the registry modifications is to make detecting and removing the trojan more difficult. The last entry in the list executes the trojan at startup so it gets run when the infected computer is booted.

The following registry entries are deleted:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window title
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn ImagePath

The following files are deleted:

  • %C:\%Program Files\ESET\nod32.exe
  • %C:\%Program Files\ESET\nod32kui.exe
  • %C:\%Program Files\ESET\nod32krn.exe

By deleting the three files and removing two of its registry keys the trojan tries to render NOD32 antivirus program inoperable. Trojan:W32/AutoIt.BN remains memory resident once executed and repeats all operations every 40 seconds, making manual disinfection very difficult while the trojan is running.