My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.Autorun.WHG

MEDIUM
HIGH
Variable
(Trojan.Autorun.AET)

Symptoms

No obvious symptoms.

Removal instructions:

Autorun.inf files are not malicious by themself and are usually created by other malware; therefore, simply deleting it won't clean the actual infection. Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

Autorun (or autoplay) is a feature of Microsoft Windows Operating systems that dictates what action will be taken
when a new drive is mounted or accesed. The structure of an autorun file usually includes information like the program
that will be executed when the drive is mounted, accesed, etc. Autorun.inf will always be located inside the root
directory of the medium, and whether the operating system will interpret it or not depends on some special registry keys:
HKEY_LOCAL_MACHINE\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
HKEY_LOCAL_MACHINE\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
HKEY_CURRENT_USER\Sofware\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
More information about how autorun works can be found here.

This particular malware comes very obfuscated, containing large amounts of garbage, in order to make detection difficult. 
Its true purpose is however revealed by the following line:
shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
This means that whenever the drive is accesed, rundll32.exe (a system program) will load
RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (a dll) and call exported function ahaezedrn.
This dll file is actually Win32.Worm.Downadup. Further information about Downadup (alias Kido or Conficker) can be found here.