Win32/AutoRun.Agent.VZ [Threat Name] go to Threat

Win32/AutoRun.Agent.VZ [Threat Variant Name]

Category worm
Size 157162 B
Detection created May 12, 2010
Detection database version 5108
Aliases Trojan-Dropper.MSIL.StubRC.ato (Kaspersky)
  W32.Ircbrute (Symantec)
  Dropper.Generic2.HTW (AVG)
Short description

Win32/AutoRun.Agent.VZ is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.


When executed, the worm copies itself in some of the the following locations:

  • %system%\­srvhost64.exe
  • %windir%\­srvhost64.exe
  • %appdata%\­srvhost64.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "System Server Cache" = "%folder%\­srvhost64.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "System Server Cache" = "%folder%\­srvhost64.exe"

The %folder% is one of the following strings:

  • %system%
  • %windir%
  • %appdata%

The worm creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe
  • explorer.exe
Spreading on removable media

The worm copies itself into existing folders of removable drives.

The following filename is used:

  • %drive%\­RECYCLER\­{36436-46377-3645c34}\­msconfig32.exe

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:


The IRC protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • collect information about the operating system used
  • remove itself from the infected computer

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­App]
    • "new"

Please enable Javascript to ensure correct displaying of this content and refresh this page.