Win32/AutoRun.VB.AWY [Threat Name] go to Threat

Win32/AutoRun.VB.AWY [Threat Variant Name]

Category worm
Size 692224 B
Detection created Jun 20, 2012
Detection database version 7235
Aliases Trojan:Win32/Otran (Microsoft)
Short description

Win32/AutoRun.VB.AWY is a worm that spreads via removable media. The worm collects information used to access certain sites.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­Temp\­SVCHOST.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winsys" = "/Temp/SVCHOST"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "winsys" = "/Temp/SVCHOST"
Spreading on removable media

Win32/AutoRun.VB.AWY is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • Adobe-Reader.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects sensitive information when the user browses certain web sites.


The worm is able to log keystrokes.


The worm attempts to send gathered information to a remote machine.


The worm sends the information via e-mail. The worm contains a list of (1) addresses.

Other information

The worm changes the home page of the following web browsers:

  • Internet Explorer

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "http://www.almahdi.songhor.net/"

Please enable Javascript to ensure correct displaying of this content and refresh this page.