Win32/AutoRun.Agent.AO [Threat Name] go to Threat

Win32/AutoRun.Agent.AO [Threat Variant Name]

Category worm
Size 24576 B
Detection created Nov 05, 2008
Detection database version 3588
Aliases Worm.Win32.AutoRun.rwv (Kaspersky)
  W32.SillyFDC (Symantec) (McAfee)
Short description

Win32/AutoRun.Agent.AO is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.


When executed, the worm copies itself into the following location:

  • %programfiles%\­Microsoft Common\­svchost.exe (24576 B)

The worm creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe
  • %windir%\­explorer.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­explorer.exe]
    • "Debugger" = "%programfiles%\­Microsoft Common\­svchost.exe"

This causes the worm to be executed on every application start.

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %drive%\­system.exe (24576 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm contains a list of URLs. It tries to download several files from the addresses.

These are stored in the following locations:

  • %windir%\­temp\­%variable%.tmp

A string with variable content is used instead of %variable% .

The files are then executed.

The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.