Win32/AutoPlayStudio [Threat Name] go to Threat

Win32/AutoPlayStudio.A [Threat Variant Name]

Category worm
Size 1764278 B
Aliases Trojan.Win32.Agent.ahadg (Kaspersky)
Short description

Win32/AutoPlayStudio.A is a worm that spreads via removable media.

Installation

The worm replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]

This causes the worm to be executed on every system start.


The original file is stored in the following location:

  • %originalfilepathwithoutextension%$.exe

The worm may search for various folders. Only following folders are searched:

  • %system%

When the worm finds a folder matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the folder found in the search. The extension of the file is ".exe" .


The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows %foldername%" = "%system%\­%foldername%\­%foldername%.exe"
Spreading

The worm searches local drives for files with the following file extensions:

  • .exe

It avoids those with any of the following strings in their names:

  • a:\­
  • b:\­
  • %systemdrive%

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The file name and extension of the newly created file is derived from the original one.


The original file is stored in the following location:

  • %originalfilenamewithoutextension%$.exe

The worm can modify the following file:

  • %drive%\­autorun.inf
Other information

The worm may attempt to download files from the Internet.


The worm contains a list of (3) URLs. It tries to download several files from the addresses.


These are stored in the following locations:

  • %system%\­ontimer
  • D:\­Root

The files are then executed. The HTTP protocol is used.


The worm opens the following URLs:

  • http://www.ads%removed%.ir

Please enable Javascript to ensure correct displaying of this content and refresh this page.