Win32/AutoRun.Autoit.ED [Threat Name] go to Threat

Win32/AutoRun.Autoit.ED [Threat Variant Name]

Category worm
Size 649291 B
Detection created Aug 02, 2011
Detection database version 6345
Aliases Trojan:win32/Malex.gen!E (Microsoft)
Short description

Win32/AutoRun.Autoit.ED is a worm that tries to set a password on all hard disk drives that support the ATA Security mode.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %windir%\­svchost.exe (649291 B)
  • %temp%\­svchost.exe (649291 B)

This copy of the worm is then executed.


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "explorer.exe %malwarepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Sound_filter" = "%temp%\­svchost.exe"

This way the worm ensures that the file is executed on every system start.

Spreading on removable media

Win32/AutoRun.Autoit.ED is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • USBCheck.exe (649291 B)

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Payload information

Win32/AutoRun.Autoit.ED is a worm that tries to set a password on all hard disk drives that support the ATA Security mode.


This blocks access to the disks until the correct password is provided.


The password to regain access to the locked disk is one of the following:

  • disk serial number (without spaces)
Other information

The worm keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Alfa1]
    • "t" = "%date%-%count%"

The worm can modify the following files:

  • %drive%\­ntldr
  • %drive%\­bootmgr
  • %drive%\­reco.bin
  • %drive%\­reco.sys

The worm may cause the operating system to crash.

Please enable Javascript to ensure correct displaying of this content and refresh this page.