Win32/Autoit.GR [Threat Name] go to Threat

Win32/Autoit.GR [Threat Variant Name]

Category worm
Size 227651 B
Detection created Jul 25, 2010
Detection database version 5311
Aliases WORM_SOHANAD.HDT (TrendMicro)
  Generic.dx!goq (McAfee)
Short description

Win32/Autoit.GR is a worm that spreads by copying itself into certain folders.


When executed, the worm copies itself into the following location:

  • %system%\­SVCHo5T.EXE

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­Currentversion\­Run]
    • "SVCHO5T.EXE" = "%system%\­SVCHO5T.EXE"

The worm searches local drives for files with the following file extensions:

  • *.*

The worm may replace these files with a copy of itself.

The worm also searches for folders on local drives.

When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the folder found in the search.

The filename has the following extension:

  • .exe

The worm moves the content of the following folders (source, destination):

  • %foundfolder%, %system%\­%foundfolder%
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • CD-CNTT-k43.exe

The following file is dropped in the same folder:

  • Daitu-Tn.txt
Other information

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoFolderOptions" = 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.