(Worm.Win32.AutoRun.aqpt, Worm:Win32/Emold.U )
-presence of the file "C:\Windows\system32\logon.exe"
-presence of the registry key
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell" with the value "Explorer.exe logon.exe"
-presence of the files "autorun.exe" (copy of the malware) and "autorun.inf" on infected removable drives
Please let BitDefender disinfect your files.
Roxana Gherle, virus researcher
Upon execution this worm will make a copy of itself at "C:\Windows\system32\logon.exe".
It will modify the following registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell" with the value "Explorer.exe logon.exe"
which will execute the malware at every user's logon.
The worm will inject malicious code into the memory space of "svchost.exe" and "explorer.exe" processes, after which it will terminate its process in order to hide its presence.
From the memory space of "svchost.exe" process it will perform the following malicious actions:
- replaces one driver from "C:\Windows\system32\DRIVERS" (for example asyncmac.sys) with a malicious driver which can collect various system information and can hook a set of important Windows API functions.
- starts a service for the malicious driver and then hides his traces by replacing the file on the disk with the original clean driver.
- sends to the address "http://myblogs.[removed]/news" the Windows Product ID of the infected machine
- it will spread itself on removable drives by copying itself as "autorun.exe" and creating an "autorun.inf" file which will contain the following commands in order to automatically run the worm on the machine to which the removable drive is connected:
From the memory space of "explorer.exe" process the worm will delete itself in order to clean its traces.