Win32/AutoRun.VB.AMZ [Threat Name] go to Threat

Win32/AutoRun.VB.AMZ [Threat Variant Name]

Category worm
Size 434181 B
Detection created Oct 05, 2011
Detection database version 6519
Aliases Trojan.Win32.Swisyn.bvpz (Kaspersky)
  W32/Autorun.bfr!d.virus (McAfee)
  Trojan:Win32/Comame (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/AutoRun.VB.AMZ is a worm that spreads via removable media.


Installation

When executed the worm copies itself in the following locations:

  • c:\­'\­csrss.exe
  • c:\­'\­'\­csrss.exe

The worm creates the following file:

  • c:\­'\­desktop.ini

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Office Outlook" = "c:\­'\­'\­csrss.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following names:

  • Assignments.exe
  • Business Ideas.exe
  • Software Keys.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm copies itself to the following location:

  • %removabledrive%\­'\­csrss.exe

The following file is dropped in the same folder:

  • desktop.ini

The worm searches for files and folders in the root folders of removable drives.


The worm searches for files with the following file extensions:

  • .docx

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search.


The extension of the file is ".exe" .

Other information

The worm contains an URL address.


It tries to download a file from the address.


The file is stored in the following location:

  • c:\­'\­Word.exe

The file is then executed.


The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.