Win32/Autoit.GO [Threat Name] go to Threat

Win32/Autoit.GO [Threat Variant Name]

Category worm
Size 361489 B
Detection created Apr 27, 2010
Detection database version 5065
Aliases W32/Autorun.worm.c (McAfee) (Kaspersky)
  Win32.HLLW.Autoruner.19532 (Dr.Web)
  Worm:Win32/Autorun.VU (Microsoft)
Short description

Win32/Autoit.GO is a worm that spreads via removable media. The file is run-time compressed using UPX .


When executed the worm copies itself in the following locations:

  • %windir%\­
  • %windir%\­svchost.exe

The worm creates the following files:

  • %windir%\­autorun.inf

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SYS1" = "%windir%\­"
    • "SYS1" = "%windir%\­svchost.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 91
    • "NoFolderOptions" = 1

The following Registry entries are deleted:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Window Title"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­NOD32krn]
    • "ImagePath"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­nod32drv]
    • "ImagePath"
    • "CRCenter"
    • "CRC"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Lao Antivirus"
    • "avgnt"
Spreading on removable media

Win32/Autoit.GO is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following names:

  • japan.exe
  • JapanGirl_10_429_FreedomGirl_onjapan_20a5k2o24n554i.jpg.exe
  • MonsterHunter_Freedom_3G_easda_9re292j92.jpg.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm searches removable drives for files with the following file extensions:

  • %removabledrive%\­*.

When the worm finds a file matching the search criteria, it creates a new copy of itself.

The file name and extension of the newly created file is derived from the original one.

An additional _163fgsdf346kkjk246722kj24562jj.jpg.exe extension is appended.

Other information

The worm attempts to delete the following files:

  • %programfiles%\­ESET\­nod32.exe
  • %programfiles%\­ESET\­nod32kui.exe
  • %programfiles%\­ESET\­nod32krn.exe

The following programs are terminated:

  • taskmgr.exe
  • regedit.exe
  • PrcView.exe
  • avgnt.exe
  • nod32krn.exe
  • nod32kui.exe
  • LaoAV.exe
  • LavCenter.exe

The worm may execute the following commands:

  • %windir%\­notepad.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.