Win32/AutoRun.Agent.ABB [Threat Name] go to Threat

Win32/AutoRun.Agent.ABB [Threat Variant Name]

Category worm
Size 208806 B
Detection created Mar 10, 2011
Detection database version 5943
Aliases Trojan.Win32.Scar.dpmz (Kaspersky)
  TrojanDropper:Win32/Agent.EAG (Microsoft)
  Trojan.ADH (Symantec)
Short description

Win32/AutoRun.Agent.ABB is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • %variable%.exe (208806 B)

A string with variable content is used instead of %variable% .


The worm creates the following file:

  • %system%\­RAR-packager.exe (180224 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RAR-AV" = "%system%\­%variable%.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • RAR-AV.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading

The worm searches local drives for files with the following file extensions:

  • *.rar

The worm inserts a copy of itself into RAR archives.


The worm searches local drives for files with the following file extensions:

  • *.*

Only folders which contain one of the following string in their path are searched:

  • incoming
  • my shared folder

The worm compresses each found file into a RAR archive.


The name of the new file is based on the name of the file found in the search.


Worm inserts a copy of itself into the archive file.


The worm then deletes found files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.