Win32/AutoRun.Autoit.CT [Threat Name] go to Threat

Win32/AutoRun.Autoit.CT [Threat Variant Name]

Category worm
Size 1137995 B
Detection created Jun 03, 2010
Detection database version 5168
Aliases Generic2_c.PPF (AVG)
  Autoit_gen.A (Norman)
Short description

Win32/AutoRun.Autoit.CT is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm creates the following files:

  • %windir%\­cysrun.exe (280491 B)
  • %windir%\­cyswin.exe (297653 B)
  • %windir%\­cysusb.exe (279823 B)
  • %temp%\­Set0x8.dat (1137995 B)
  • %temp%\­Set0x4.dat (297653 B)
  • %temp%\­Set0x2.dat (280491 B)
  • %temp%\­Set0x12.dat (279823 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Cyswin" = "%windir%\­cyswin.exe"
    • "Cysrun" = "%windir%\­cysrun.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %drive%\­Cysset.exe (1137995 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • irc.freenode.net

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes

The worm collects the following information:

  • operating system version
  • user name
  • computer IP address
  • computer name
  • list of running processes

The worm can send the information to a remote machine.


The following programs are terminated:

  • attrib.exe
  • combofix.exe
  • killbox.exe
  • msconfig.exe
  • procexp.exe
  • taskkill.exe
  • tasklist.exe
  • taskmgr.exe

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Pocket Killbox
  • Process Explorer

The worm may create the following files:

  • %windir%\­Winysys.conf
  • %temp%\­MsDos.Txt
  • %temp%\­Setting2x.Conf
  • %temp%\­Setting4x.Conf

Please enable Javascript to ensure correct displaying of this content and refresh this page.