Win32.Worm.Autoit.E
MEDIUM
VERY LOW
226,924 bytes
(Virus.Win32.AutoRun.hs, W32/Autorun.worm.g, Win32/Autoit.BB, W32/AutoRun.G!worm, )
Symptoms
Symptoms of this malware:
* presence of a file called ",.exe" in Windows directory
* presence of a process ",.exe" running in your computer (TaskManager)
* presence of an entry called "HUI" under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" pointing to a file "C:\windows\,.exe"
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Radu Daniel, virus researcher
Technical Description:
Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".
Once executed:
- drops [DRIVE]:\autorun.inf on all drives, which is used to execute the malware when the drive is accessed;
- copies itself as ",.exe" on all drives
- copies itself as ",.exe" in %windir%
- enables AutoRun on all drives by altering following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
- tries to kill following processes if running:
* MSConfig.exe
* regedit.exe
* taskmgr.exe
* Bkav2006.exe
- adds itself to Windows Startup under the name "HUI" by altering following registry entry:
* "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- modifies following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \ShowSuperHidden"
, to hide file extensions and file under explorer.
SHARE
THIS ON