Win32/AutoRun.XZ [Threat Name] go to Threat

Win32/AutoRun.XZ [Threat Variant Name]

Category worm
Size 32768 B
Detection created Sep 03, 2008
Detection database version 3412
Aliases Worm.Win32.AutoRun.mfa (Kaspersky)
  Spy-Agent.bw.gen.g.trojan (McAfee)
  W32.SillyFDC (Symantec)
Short description

Win32/AutoRun.XZ is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm copies itself into the %programfiles%\Microsoft Common\ folder using the following name:

  • wuauclt.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­explorer.exe]
    • "Debugger" = "%programfiles%\­Microsoft Common\­wuauclt.exe"

This causes the worm to be executed on every application start.


The worm creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe
  • %windir%\­explorer.exe
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • system.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed.


The worm creates the following files:

  • %temp%\­%variable%.tmp (6656 B)

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe,%variable1%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%variable3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%variable4%" = "%variable5%:*:Enabled:%variable6%"

A string with variable content is used instead of %variable(1-6)% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.