Win32/AutoRun.Caphaw [Threat Name] go to Threat

Win32/AutoRun.Caphaw.A [Threat Variant Name]

Category worm
Size 345600 B
Detection created Jan 30, 2012
Detection database version 7951
Short description

Win32/AutoRun.Caphaw.A is a worm that spreads via shared folders and removable media. The worm is usually a part of other malware.

Installation

When executed, the worm creates the following files:

  • %currentfolder%\­thumbs.db%variable%
  • %currentfolder%\­desktop.ini%variable%
  • %currentfolder%\­pagefile.sys%variable%
  • %currentfolder%\­readme.txt%variable%

A string with variable content is used instead of %variable% .

Spreading

Win32/AutoRun.Caphaw.A is a worm that spreads via shared folders and removable media.


The worm searches for files with the following file extensions:

  • *.lnk
  • *.exe
  • *.com
  • *.bat
  • *.xls?
  • *.doc
  • *.docx
  • *.one
  • *.ppt
  • *.pptx
  • *.pps
  • *.ppsx
  • *.vsd
  • *.vss
  • *.vst
  • *.vdx
  • *.vsx
  • *.vtx
  • *.ad?
  • *.acc??
  • *.md?
  • *.ma?
  • *.zip
  • *.rar
  • *.7z

When the worm finds a file matching the search criteria, it creates a new file.


The file is a shortcut to a malicious file.


The file name and extension of the newly created file is derived from the original one.


An additional ".lnk" extension is appended.


When an infected file is executed, the original file is also run.


The worm may attempt to download files from the Internet.


These are stored in the following locations:

  • %currentfolder%\­thumbs.db%variable%
  • %currentfolder%\­desktop.ini%variable%
  • %currentfolder%\­pagefile.sys%variable%
  • %currentfolder%\­readme.txt%variable%

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.