Win32/AutoRun.VB.AXP [Threat Name] go to Threat

Win32/AutoRun.VB.AXP [Threat Variant Name]

Category worm
Size 1115128 B
Detection created Jul 18, 2012
Signature database version 7309
Aliases Worm.Win32.VB.ect (Kaspersky)
Short description

Win32/AutoRun.VB.AXP is a worm that spreads via removable media. The file is run-time compressed using FSG .

Installation

When executed, the worm copies itself into the following location:

  • %localappdata%\­Microsoft\­Windows\­explorer.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Explorer" = "%localappdata%\­Microsoft\­Windows\­explorer.exe Set"

The worm creates the following file:

  • %temp%\­%originalmalwarefilename%.exe (1089536 B, Win32/Statik)

The file is then executed.

Spreading on removable media

Win32/AutoRun.VB.AXP is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following names:

  • US1012.exe
  • US1012_2.exe

The following file is dropped in the same folder:

  • Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address. The HTTP protocol is used.


It may perform the following actions:

  • show/hide application windows
  • uninstall itself

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Start Page" = "%variable%"
  • [HKEY_CURRENT_USER\­AppEvents\­Schemes\­Apps\­Explorer\­Navigating\­.Current]
    • "(Default)" = ""

Please enable Javascript to ensure correct displaying of this content and refresh this page.