Win32/Autoit.GU [Threat Name] go to Threat

Win32/Autoit.GU [Threat Variant Name]

Category worm
Size 517930 B
Detection created Dec 15, 2010
Detection database version 5706
Aliases Worm.Win32.AutoIt.afk (Kaspersky)
  W32/YahLover.worm.gen.virus (McAfee)
  Worm:Win32/Sohanad.AS (Microsoft)
  W32.Imaut!gen1 (Symantec)
Short description

Win32/Autoit.GU is a worm that spreads via removable media. The worm collects various information related to online computer games. The worm attempts to send gathered information to a remote machine.

Installation

When executed, the worm copies itself into the following location:

  • %system%\­issas.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Install Manager" = "%system%\­issas.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "SuperHidden" = 1
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
    • "Hidden" = 2

The following Registry entry is deleted:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­Microsoft Task Manager]
Spreading on removable media

The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.


The extension of the file is "exe" .

Information stealing

The worm collects various information related to online computer games.


The virus searches for windows with the title containing any of the following strings:

  • Official MU Online

The worm is able to log keystrokes.


The collected information is stored in the following file:

  • %system%\­issas.log

The worm sends the information via e-mail.


The worm contains a list of (1) addresses.

Other information

The following programs are terminated:

  • msklg.exe

The following files are deleted:

  • C:\­Windows\­System32\­msklg.exe
  • C:\­Windows\­System32\­msklg.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.