My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Autorun.JP

MEDIUM
LOW
~110 kB
(Worm.Win32.Autorun.dlw, W32/Autorun.worm.bm, WORM_AUTORUN.UP)

Symptoms

Presence of the specified files and registry entries.
Presence of the following processes:

  • %system%\system.exe
  • %windows%\userinit.exe

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Anton, virus researcher

Technical Description:

When executed, the worm drops several copies of itself in:

  • %system%\system.exe
  • %windows%\userinit.exe
  • [every removable drive]: Secret.exe

Also, it drops:

  • %system%\MSWINSCK.OCX, a clean file used by the virus
  • %system%\kdcoms.dll, a file in which the virus stores user's active windows titles and the following keys strokes:

Backspace, Tab, Shift, Ctrl, Alt, Pause, Esc, End, Home, Left, Right, Up, Down, Insert, Delete, F1-F12, NumLock, ScrollLock, PrintScreen, PageUp, PageDown

  • [every removable drive]: autorun.inf, in order that the worm is executed every time the drive is accesed

autorun.inf has the following content:

[AutoRun]
open=Secret.exe
;shell\open=Open(&O)
shell\open\Command=Secret.exe
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=Secret.exe


The virus modifies the registry value in order to be executed on every system startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon:
Userinit = %windows%\userinit.exe" (instead of the original file located in %System%\userinit.exe")

The worm also downloads a file from:
http://files.myopera.com/[hide]online/files/task.rar, which also contains a copy of itself.