Win32/Ainslot [Threat Name] go to Threat

Win32/Ainslot.AA [Threat Variant Name]

Category worm
Size 922112 B
Aliases Worm:Win32/Ainslot.A (Microsoft)
  Worm/Ainslot.A.2764 (Avira)
Short description

Win32/Ainslot.AA is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using IExpress, UPX .


When executed, the worm creates the following files:

  • %temp%\­IXP%variable%.tmp\­RSBOT-~1.EXE (17408 B)
  • %temp%\­IXP%variable%.tmp\­WINDOW~1.EXE (805376 B, Win32/Ainslot.AA)
  • %appdata%\­server.exe (805376 B, Win32/Ainslot.AA)

A string with variable content is used instead of %variable% .

The files are then executed.

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "Windows Defender" = "%appdata%\­server.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%appdata%\­server.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Defender" = "%appdata%\­server.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlset\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "DoNotAllowExceptions" = 0
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlset\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%temp%\­IXP%variable%.tmp\­WINDOW~1.EXE" = "%temp%\­IXP%variable%.tmp\­WINDOW~1.EXE:*:Enabled:Windows Messanger"
    • "%appdata%\­server.exe" = "%appdata%\­server.exe:*:Enabled:Windows Messanger"

The performed data entry creates an exception in the Windows Firewall program.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{FC6B63FB-9FCB-AAA7-A314-3ABD03BE6DD2}]
    • "StubPath" = "%appdata%\­server.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components\­{FC6B63FB-9FCB-AAA7-A314-3ABD03BE6DD2}]
    • "StubPath" = "%appdata%\­server.exe"
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­INSTALL\­DATE]
    • "IUA6K9NR6M" = "%date%"
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­SrvID\­ID]
    • "IUA6K9NR6M" = "Create's Bot"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • %originalfilename%

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of URLs. The TCP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • capture screenshots
  • watch the user's screen content
  • open a specific URL address
  • perform DoS/DDoS attacks
  • terminate running processes
  • log keystrokes
  • log off the current user
  • shut down/restart the computer
  • collect information about the operating system used
  • steal information from the Windows clipboard
  • create Registry entries
  • delete Registry entries
  • various filesystem operations
  • send the list of disk devices and their type to a remote computer
  • send the list of files on specific drive to a remote computer
  • send the list of running processes to a remote computer
  • capture webcam video/voice
  • block access to specific websites
  • redirect network traffic
  • execute shell commands
  • show/hide application windows
  • block keyboard and mouse input
  • spread via removable drives
  • spread via shared folders and P2P networks
  • spread via MSN network
  • retrieve CPU information
  • show fake alerts
  • encrypt selected files
  • decrypt selected files
  • set up a proxy server

Please enable Javascript to ensure correct displaying of this content and refresh this page.