Win32.Worm.Autoit.E

( Virus.Win32.AutoRun.hs, W32/Autorun.worm.g, Win32/Autoit.BB, W32/AutoRun.G!worm, )

SYMPTOMS:

    Symptoms of this malware:
        * presence of a file called ",.exe" in Windows directory
        * presence of a process ",.exe" running in your computer (TaskManager)
        * presence of an entry called "HUI" under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" pointing to a file "C:\windows\,.exe"

TECHNICAL DESCRIPTION:

       Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".

       Once executed:

 - drops [DRIVE]:\autorun.inf on all drives, which is used to execute the malware when the drive is accessed;
 - copies itself as ",.exe" on all drives
 - copies itself as ",.exe" in %windir%
 - enables AutoRun on all drives by altering following registry entries:
        * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
        * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun

 - tries to kill following processes if running:
        * MSConfig.exe
        * regedit.exe
        * taskmgr.exe
        * Bkav2006.exe

 - adds itself to Windows Startup under the name "HUI" by altering following registry entry:
        * "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" 
 - modifies following registry entries:
        * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
        * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \ShowSuperHidden"

, to hide file extensions and file under explorer.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Radu Daniel, virus researcher