Win32/AutoRun.Agent.UP [Threat Name] go to Threat

Win32/AutoRun.Agent.UP [Threat Variant Name]

Category worm
Size 56320 B
Detection created Feb 02, 2010
Detection database version 4829
Aliases Trojan.Win32.Scar.buor (Kaspersky)
  Infostealer (Symantec)
  Generic.dx!paw (McAfee)
Short description

Win32/AutoRun.Agent.UP is a worm that spreads by copying itself into certain folders. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %temp%\­%originalfilename%.exe (56320 B)

A string with variable content is used instead of %originalfilename% .


The worm creates the following files:

  • %temp%\­mxs.exe (4608 B)
  • %temp%\­ader.exe (26112 B)
  • %windir%\­mssrvc\­svchost.exe (26112 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "svchost" = "%windir%\­mssrvc\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%system%\­userinit.exe,%temp%\­%originalfilename%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 2
    • "Hidden" = 2

The worm creates and runs a new thread with its own program code within the following processes:

  • %system%\­svchost.exe
  • %windir%\­explorer.exe
Spreading

Win32/AutoRun.Agent.UP is a worm that spreads by copying itself into certain folders.


When the worm finds a folder matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the folder found in the search.


The extension of the file is ".exe" .


The worm attempts to replace the following files with a copy of itself:

  • *.exe
Other information

The worm connects to the following addresses:

  • www.microsoft.com
  • www.google.com
  • dell-d3e62f7e26

The worm contains a list of (7) URLs.


It tries to download several files from the addresses. The files are then executed.


The worm may create the following files:

  • %temp%\­rdl%variable%.tmp

A string with variable content is used instead of %variable% .


The worm may execute the following commands:

  • %windir%\­explorer.exe %path%

Please enable Javascript to ensure correct displaying of this content and refresh this page.