Win32/AutoRun.CH [Threat Name] go to Threat

Win32/AutoRun.CH [Threat Variant Name]

Category worm
Size 221184 B
Aliases Virus.Win32.AutoRun.fb (Kaspersky)
  Generic.VB.b (McAfee)
  W32.SillyFDC (Symantec)
Short description

Win32/Autorun.CH is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • Knight.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Disk Knight" = "%windir%\­Knight.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Disk Knight]
  • "DisplayName" = "Disk Knight"
  • "UninstallString" = "%windir%\­Knight.exe uninstall"
  • "DisplayVersion" = "2.0"
  • "Publisher" = "Kalpurush"
  • "HelpLink" = "http://www.ariful.esmartweb.com/software.html"
  • "Readme" = "res://%windir%\­Knight.exe/about.html
  • "Contact" = "ariful2k@hotmail.com"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Knight.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm blocks application execution.

Please enable Javascript to ensure correct displaying of this content and refresh this page.