Win32/AutoRun.Agent.VS [Threat Name] go to Threat

Win32/AutoRun.Agent.VS [Threat Variant Name]

Category worm
Size 303104 B
Detection created Apr 23, 2010
Detection database version 10236
Aliases Trojan.Win32.Cosmu.pqi (Kaspersky)
  W32.SillyFDC (Symantec)
  Win32/Autorun.WT (Microsoft)
Short description

Win32/AutoRun.Agent.VS is a worm that spreads via removable media. The worm is able to log keystrokes. The worm is probably a part of other malware.

Installation

When executed the worm copies itself in the following locations:

  • C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­WinSysApp.exe
  • %systemdrive%\­Program Files\­Windows Alerter\­WinAlert.exe
  • %systemdrive%\­Program Files\­Windows Common Files\­Commgr.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowMessenger" = "C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­WinSysApp.exe"
    • "Windows Alerter" = "%systemdrive%\­Program Files\­Windows Alerter\­WinAlert.exe"
    • "Windows Common Files Manager" = "%systemdrive%\­Program Files\­Windows Common Files\­Commgr.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowMessenger" = "C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­WinSysApp.exe"
    • "Windows Alerter" = "%systemdrive%\­Program Files\­Windows Alerter\­WinAlert.exe"
    • "Windows Common Files Manager" = "%systemdrive%\­Program Files\­Windows Common Files\­Commgr.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
    • "SuperHidden" = 0
    • "HideFileExt" = 1
Spreading

Win32/AutoRun.Agent.VS is a worm that spreads by copying itself into certain folders.


When the worm finds a folder matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the folder found in the search.


The filename has the following extension:

  • .exe
Spreading on removable media

The worm copies itself into existing folders of removable drives.


The following filename is used:

  • %drive%\­RECYCLER\­%variable%.exe

A string with variable content is used instead of %variable% .


The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm may create the following files in the %drive%\RECYCLER folder:

  • BNFO
  • dEsKtOp.InI
Other information

The following programs are terminated:

  • acs.exe
  • agrs.exe
  • AntiTrojan.exe
  • ants.exe
  • aswboot.exe
  • atwatch.exe
  • avast.exe
  • avengine.exe
  • avgcc32.exe
  • avgemc.exe
  • avgfree.exe
  • avgnt.exe
  • avgsetup.exe
  • avguard.exe
  • avnt.exe
  • avp.exe
  • avpcc.exe
  • avsched32.exe
  • bdagent.exe
  • blackice.exe
  • btdfbr.exe
  • btrl.exe
  • btscan.exe
  • ccapp.exe
  • ccleaner.exe
  • ccproxy.exe
  • ccSvcHost.exe
  • cleaner.exe
  • cmd.exe
  • EMLPROUI.exe
  • EMLPROXY.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • kavpf.exe
  • kpf4ss.exe
  • lockdown.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • McProxy.exe
  • mcregist.exe
  • mcshield.exe
  • mcsysmon.exe
  • mmc.exe
  • mpfservice.exe
  • msconfig.exe
  • navapsvc.exe
  • navw32.exe
  • nisserv.exe
  • nisum.exe
  • nod32.exe
  • nod32krn.exe
  • ONLINENT.exe
  • OPSSVC.exe
  • outpost.exe
  • pavfires.exe
  • pavproxy.exe
  • pccntmon.exe
  • persfw.exe
  • qhunpack.exe
  • QUHLPSVC.exe
  • realmon.exe
  • reg.exe
  • regedit.exe
  • rstrui.exe
  • SCANNER.exe
  • SCANWSCS.exe
  • SENSOR.exe
  • SiteAdv.exe
  • smc.exe
  • tasklist.exe
  • taumon.exe
  • tds-3.exe
  • tsnt2008.exe
  • UPSCHD.exe
  • usbguard.exe
  • vbcons.exe
  • vsserv.exe
  • vsstat.exe
  • watchdog.exe
  • YMSGRTRAY.exe
  • zapro.exe
  • zonealarm.exe

The worm is able to log keystrokes.


The data is saved in the following file:

  • C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­info

The worm may create the following files:

  • C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­OnlyDbv.jpg
  • C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­bnf0342
  • C:\­RECYCLER\­X-1-5-21-1960408961-725345543-839522115-1003\­wndsvc.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.