Win32/AutoRun.Agent.GO [Threat Name] go to Threat

Win32/AutoRun.Agent.GO [Threat Variant Name]

Category worm
Size 27648 B
Detection created Jan 15, 2009
Detection database version 10517
Aliases Trojan.Win32.Buzus.aaup (Kaspersky)
  Backdoor.IRC.Bot (Symantec)
  W32/Spybot.worm.gen (McAfee)
Short description

Win32/AutoRun.Agent.GO is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed the worm copies itself in the following locations:

  • %drive%\­RECYCLER\­S-%variable%\­windowsupdate.com

A string with variable content is used instead of %variable% .


The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • firefox.exe
  • mozilla.exe
  • msnmsgr.exe
Spreading on removable media

The worm copies itself into existing folders of removable drives.


The following filename is used:

  • %drive%\­RECYCLER\­S-%variable%\­windowsupdate.com

A string with variable content is used instead of %variable% .


The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


It communicates with the following server using IRC protocol:

  • fix.mainmsn.net

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • perform DoS/DDoS attacks

The following services are disabled:

  • wscsvc
  • SharedAccess

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%filepath%" = "%filepath%:*:Enabled:Microsoft Windows Update Platform"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wuauserv]
    • "Start" = 4

Please enable Javascript to ensure correct displaying of this content and refresh this page.