MSIL/Autorun.Agent.EF [Threat Name] go to Threat

MSIL/Autorun.Agent.EF [Threat Variant Name]

Category worm
Size 384000 B
Short description

MSIL/Autorun.Agent.EF is a worm that spreads via removable media. The worm may attempt to delete all files on the local drives.


When executed, the worm copies itself into the following location:

  • %system%\­ESET.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ESET" = "c:\­windows\­system32\­ESET.exe"
Spreading on removable media

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • ESET.exe

The following file is dropped in the same folder:

  • autorun.inf (27 B)

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Payload information

If the current system date and time matches certain conditions, the worm attempts to delete all files and folders stored on the available drives.

Other information

The worm may execute the following commands:

  • %system%\­ping.exe -l 65500 -t
  • %system%\­ %drive% /q/y
  • cmd /c rmdir %folderpath% /fs:ntfs /s/q
  • cmd /c dir %drive%\­/A:D/B > c:\­winnt.dat

Please enable Javascript to ensure correct displaying of this content and refresh this page.