Win32/AutoRun.PSW.Agent.E [Threat Name] go to Threat

Win32/AutoRun.PSW.Agent.E [Threat Variant Name]

Category worm
Size 1522384 B
Detection created Oct 17, 2011
Detection database version 6551
Short description

Win32/AutoRun.PSW.Agent.E is a worm that steals passwords and other sensitive information. It is able to spread via removable media.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %userprofile%\­Start Menu\­Programs\­Startup\­
  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­
  • %userprofile%\­Documents\­
  • %userprofile%\­Desktop\­
  • %userprofile%\­Start Menu\­
  • %userprofile%\­Start Menu\­Programs\­
  • %allusersprofile%\­Start Menu\­
  • %appdata%\­Microsoft\­Windows\­Start Menu\­
  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­
  • %programdata%\­Microsoft\­Windows\­Start Menu\­

Its filename is one of the following:

  • setup.exe
  • install.exe
  • fotky.exe
  • majkl_dzeksn.exe
  • barunka.exe
  • martinka.exe
Spreading on removable media

The worm copies itself into the root folders of all drives using one of the following file names:

  • setup.exe
  • install.exe
  • fotky.exe
  • majkl_dzeksn.exe
  • barunka.exe
  • martinka.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • Windows Protected Storage passwords and credentials
  • list of running processes
  • Registry entries
  • information about the operating system and system settings
  • computer IP address
  • a list of recently visited URLs
  • e-mail addresses
  • list of files/folders on specific drive
  • environment variables
  • sent IM messages

The worm attempts to send gathered information to a remote machine.


The worm contains an URL address. The HTTP protocol is used.

Other information

The worm creates the following files:

  • %windir%\­hid.exe

The worm terminates processes with any of the following strings in the name:

  • ICQ
  • QIP

Logon passwords of some users may be changed to the following:

  • martyna

The worm displays the following message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.