Win32/AutoRun.VB.AAO [Threat Name] go to Threat

Win32/AutoRun.VB.AAO [Threat Variant Name]

Category worm
Size 132608 B
Detection created Feb 07, 2011
Detection database version 10944
Aliases Worm.Win32.VB.ck (Kaspersky)
  Trojan:Win32/Rimod (Microsoft)
  W32/YahLover.worm.gen (McAfee)
Short description

Win32/AutoRun.VB.AAO is a worm that spreads via removable media. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­MusaLLaT.exe

This copy of the worm is then executed.


The worm creates the following files:

  • %appdata%\­Declare.ini

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MusaLLaT" = "%appdata%\­MusaLLaT.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "UACDisableNotify" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­system]
    • "EnableLUA" = 0
Spreading on removable media

Win32/AutoRun.VB.AAO is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following names:

  • MusaLLaT.exe
  • Özel Dosyalar.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm copies itself into existing folders of removable drives.


The name of the file may be based on the name of an existing file or folder.


The extension of the file is ".exe" .

Other information

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

  • 127.0.0.1  threatsense.net
  • 127.0.0.1  www.threatsense.net
  • 127.0.0.1  www.zma.com.ar
  • 127.0.0.1  zma.com.ar
  • 127.0.0.1  store.ca.com
  • 127.0.0.1  avira.com
  • 127.0.0.1  www.antivir.com
  • 127.0.0.1  antivir.com
  • 127.0.0.1  www.antivir.com.tr
  • 127.0.0.1  www.avg.com
  • 127.0.0.1  avg.com
  • 127.0.0.1  www.scanwith.com
  • 127.0.0.1  scanwith.com
  • 127.0.0.1  www.avast.gen.tr
  • 127.0.0.1  avast.gen.tr
  • 127.0.0.1  www.avast.com
  • 127.0.0.1  avast.com
  • 127.0.0.1  forum.avast.com
  • 127.0.0.1  www.nod32.com
  • 127.0.0.1  nod32.com
  • 127.0.0.1  novirusthanks.org
  • 127.0.0.1  vscan.novirusthanks.org
  • 127.0.0.1  virustotal-uploader.en.softonic.com
  • 127.0.0.1  virscan.org
  • 127.0.0.1  pandasecurity.com
  • 127.0.0.1  www.arcabit.com
  • 127.0.0.1  arcabit.com
  • 127.0.0.1  www.arcabit.pl
  • 127.0.0.1  arcabit.pl
  • 127.0.0.1  www.freedrweb.com
  • 127.0.0.1  freedrweb.com
  • 127.0.0.1  www.drweb.com
  • 127.0.0.1  drweb.com
  • 127.0.0.1  www.drweb-online.com
  • 127.0.0.1  drweb-online.com
  • 127.0.0.1  www.eset.es
  • 127.0.0.1  eset.es
  • 127.0.0.1  www.nod32.com.tr
  • 127.0.0.1  nod32.com.tr
  • 127.0.0.1  nod32.gen.tr
  • 127.0.0.1  www.nod32.gen.tr
  • 127.0.0.1  www.eset.eu
  • 127.0.0.1  eset.eu
  • 127.0.0.1  89.202.157.226
  • 127.0.0.1  www.eset.co.uk
  • 127.0.0.1  eset.co.uk
  • 127.0.0.1  93.184.71.27
  • 127.0.0.1  188.240.47.45
  • 127.0.0.1  www.avp.com
  • 127.0.0.1  avp.com
  • 127.0.0.1  www.nod32-es.com
  • 127.0.0.1  nod32-es.com
  • 127.0.0.1  www.eset.com
  • 127.0.0.1  eset.com
  • 127.0.0.1  www.nod32-a.com
  • 127.0.0.1  nod32-a.com
  • 127.0.0.1  89.202.157.135
  • 127.0.0.1  89.202.157.136
  • 127.0.0.1  89.202.157.137
  • 127.0.0.1  89.202.157.138
  • 127.0.0.1  89.202.157.139
  • 127.0.0.1  www.kaspersky.com
  • 127.0.0.1  www.kaspersky.com.mx
  • 127.0.0.1  latam.kaspersky.com
  • 127.0.0.1  usa.kaspersky.com
  • 127.0.0.1  kaspersky.com
  • 127.0.0.1  support.kaspersky.com
  • 127.0.0.1  kaspersky-labs.com
  • 127.0.0.1  my-etrust.com
  • 127.0.0.1  www.my-etrust.com
  • 127.0.0.1  www.bitdefender.es
  • 127.0.0.1  bitdefender.es
  • 127.0.0.1  www.bitdefender.com
  • 127.0.0.1  bitdefender.com
  • 127.0.0.1  secure.nai.com
  • 127.0.0.1  nai.com
  • 127.0.0.1  www.nai.com
  • 127.0.0.1  vil.nai.com
  • 127.0.0.1  pctools.com
  • 127.0.0.1  www.pctools.com
  • 127.0.0.1  update.symantec.com
  • 127.0.0.1  updates.symantec.com
  • 127.0.0.1  liveupdate.symantec.com
  • 127.0.0.1  customer.symantec.com
  • 127.0.0.1  symantec.com
  • 127.0.0.1  www.symantec.com
  • 127.0.0.1  security.symantec.com
  • 127.0.0.1  shop.symantecstore.com
  • 127.0.0.1  securityresponse.symantec.com
  • 127.0.0.1  liveupdate.symantec.comliveupdate.com
  • 127.0.0.1  service1.symantec.com
  • 127.0.0.1  ftp.symantec.com
  • 127.0.0.1  rads.mcafee.com
  • 127.0.0.1  home.mcafee.com
  • 127.0.0.1  es.mcafee.com
  • 127.0.0.1  la.mcafee.com
  • 127.0.0.1  us.mcafee.com
  • 127.0.0.1  download.mcafee.com
  • 127.0.0.1  dispatch.mcafee.com
  • 127.0.0.1  mast.mcafee.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.