My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Worm.Win32.AutoRun.aul, Win32.HLLW.Knight, W32/Worm.MUN, Win32.HLLW.Knight, INF:DiskKnight [Trj])


You can recognize this malware by:
    - a process named knight.exe running on your computer
    - an autorun.inf file in the root directory (usually C:\) containing references to knight.exe

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Boeriu Laura, virus researcher

Technical Description:

  This file was designed to protect computers from worms that spread by means of USB memory sticks,
prompting the user to block or allow any of the processes that try to run from the USB. On the other hand, the file has the behavior of a worm because it spreads from computer to USB sticks and back without the user consent or knowledge.

 It drops an autorun.inf file and modifies the registry keys to automatically launch a copy of itself from C:\WINDOWS\Knight.exe (or C:\WINNT\Knight.exe, depending on the operating system).

 The registry operations performed are:
      * HKLM\SOFTWARE\Classes\exefile\shell\open\command
            * (default) -> "%1" %*
      * HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
           * Disk Knight -> C:\WINDOWS\Knight.exe