Win32/AutoRun.DA [Threat Name] go to Threat

Win32/AutoRun.DA [Threat Variant Name]

Category worm
Size 766464 B
Aliases Virus.Win32.AutoRun.adk (Kaspersky)
  W32/Generic.m (McAfee)
  Trojan.delfelk.A (BitDefender)
Short description

Win32/Autorun.DA is a worm that spreads via removable media. The file is run-time compressed using UPX .


When executed, the worm copies itself into the folder:

  • %system%

with the following file names:

  • explorer.exe
  • link.exe

The following files are dropped into the %windir% folder:

  • information.jpg (123563 B)
  • information.scr (337920 B)

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe "%system%\­link.exe""

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­Showall]
    • "CheckedValue" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "%windir%\­information.jpg"

The worm creates copies of itself in folders accesed by the following application:

  • explorer.exe

The name of the file may be based on the name of an existing file or folder.

The extension of the file is ".exe" .

Spreading on removable media

The worm creates the following folders:

  • %drive%\­RECYCLER\­

The following file is dropped in the same folder:

  • autorune.exe (766464 B)

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm attempts to delete the following file:

  • %system%\­soundmix.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­exefile\­shell\­open\­command]
    • "(Default)" = ""%1" %*"

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "soundmix" = "%system%\­soundmix.exe"

The worm launches the following processes:

  • explorer.exe

The worm alters the behavior of the following processes:

  • Windows Task Manager

Please enable Javascript to ensure correct displaying of this content and refresh this page.