Win32/AutoRun.NAT [Threat Name] go to Threat

Win32/AutoRun.NAT [Threat Variant Name]

Category virus
Detection created Apr 30, 2010
Detection database version 5074
Aliases Worm.Win32.Qvod.gj (Kaspersky)
  W32.Wapomi (Symantec)
  Win32.HLLW.Viking.56 (Dr.Web)
Short description

Win32/AutoRun.NAT is a file infector. It is able to spread via shared folders and removable media. The virus can download and execute a file from the Internet.

Installation

The virus attempts to replace the following files with a copy of itself:

  • %system%\­appmgmts.dll
  • %system%\­browser.dll
  • %system%\­cryptsvc.dll
  • %system%\­es.dll
  • %system%\­mspmsnsv.dll
  • %system%\­mswsock.dll
  • %system%\­netman.dll
  • %system%\­ntmssvc.dll
  • %system%\­pchsvc.dll
  • %system%\­qmgr.dll
  • %system%\­regsvc.dll
  • %system%\­shsvcs.dll
  • %system%\­schedsvc.dll
  • %system%\­ssdpsrv.dll
  • %system%\­tapisrv.dll
  • %system%\­upnphost.dll
  • %system%\­xmlprov.dll

The virus may create copies of itself using the following filenames:

  • %system%\­%variable%.dll

The virus registers itself as a system service using the following names:

  • %variable%

Instead of %variable% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost]
    • "netsvcs" = "%variable%"

The virus creates the following files:

  • %system%\­drivers\­%random%.sys

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%random%]
    • "Start" = 3
    • "Type" = 1
    • "ImagePath" = "%system%\­drivers\­%random%.sys"

A string with variable content is used instead of %random% .


The virus may create the following files:

  • C:\­Documents and Settings\­Infotmp.txt
  • C:\­Users\­Infotmp.txt
Executable file infection

Win32/AutoRun.NAT is a file infector.


The virus searches local and network drives for files with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 74 kB .

Spreading on removable media

The virus copies itself into existing folders of removable drives.


The following filename is used:

  • %drive%\­recycle.{645FF040-5081-101B-9F08-00AA002F954E}\­Setup.exe

The virus creates the following file:

  • %drive%\­autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The virus searches for computers in the local network.


It tries co copy itself into the root folder of the C:\ drive on a remote machine using the following name:

  • CONFIG.exe

The file is then remotely executed.


The following usernames are used:

  • Administrator
  • Guest
  • admin
  • Root

The following passwords are used:

  • 0
  • 000000
  • 007
  • 1
  • 110
  • 111
  • 1111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1313
  • 2002
  • 2003
  • 2112
  • 2600
  • 5150
  • 520
  • 5201314
  • 54321
  • 654321
  • 6969
  • 7777
  • 88888888
  • 901100
  • a
  • aaa
  • abc
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • baseball
  • ccc
  • computer
  • database
  • enable
  • fish
  • fuck
  • fuckyou
  • god
  • godblessyou
  • golf
  • harley
  • home
  • ihavenopass
  • letmein
  • login
  • Login
  • love
  • mustang
  • mypass
  • mypass123
  • mypc
  • mypc123
  • owner
  • pass
  • pass
  • passwd
  • password
  • pat
  • patrick
  • pc
  • pussy
  • pw
  • pw123
  • pwd
  • qq520
  • qwer
  • qwerty
  • root
  • server
  • sex
  • shadow
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv
Other information

The virus checks for Internet connectivity by trying to connect to the following servers:

  • www.baidu.com

The virus connects to the following addresses:

  • 34.WAP517.MOBI
  • 34.WAP517.ORG
  • 34.WAP517.COM
  • 34.WAP517.INFO
  • 34.WAP517.ME
  • 34.WAP517.US
  • 34.WAP517.BIZ
  • 34.WAP517.NET

It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %temp%\­%variable%.rar

A string with variable content is used instead of %variable% .


The file is then executed.


Win32/AutoRun.NAT is a virus that steals sensitive information.


The following information is collected:

  • list of running processes
  • network adapter information

The virus can send the information to a remote machine.


The virus terminates various security related applications.


The following programs are terminated:

  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360se.exe
  • 360SoftMgrSvc.exe
  • 360SoftMgrSvc.exe
  • 360speedld.exe
  • 360tray.exe
  • 360tray.exe
  • ast.exe
  • avcenter.exe
  • avgnt.exe
  • avguard.exe
  • avguard.exe
  • avmailc.exe
  • avp.exe
  • avp.exe
  • avp.exe
  • avwebgrd.exe
  • bdagent.exe
  • CCenter.exe
  • ccSvcHst.exe
  • ccSvcHst.exe
  • ccSvcHst.exe
  • Đ޸´ą¤ľß.exe
  • egui.exe
  • ekrn.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • krnl360svc.exe
  • kswebshield.exe
  • KVMonXP.kxp.KVSrvXP.exe
  • kwatch.exe
  • livesrv.exe
  • Mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • Mcods.exe
  • McProxy.exe
  • McSACore.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • MPMon.exe
  • MPSVC.exe
  • MPSVC1.exe
  • MPSVC2.exe
  • msksrver.exe
  • qutmserv.exe
  • RavMonD.exe
  • RavTask.exe
  • RsAgent.exe
  • rsnetsvr.exe
  • RsTray.exe
  • safeboxTray.exe
  • ScanFrm.exe
  • seccenter.exe
  • SfCtlCom.exe
  • sched.exe
  • sched.exe
  • TMBMSRV.exe
  • TmProxy.exe
  • UfSeAgnt.exe
  • vsserv.exe
  • zhudongfangyu.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­UfSeAgnt.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TMBMSRV.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SfCtlCom.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TmProxy.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360SoftMgrSvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­qutmserv.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­livesrv.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­seccenter.e xe
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vsserv.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC1.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC2.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPMon.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ast.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360speedld.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360SoftMgrSvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Đ޸´ą¤ľß.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360hotfix.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rpt.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safe.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safebox.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­krnl360svc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zhudongfangyu.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360sd.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rp.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360se.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safeboxTray.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVMonXP.kxp.KVSrvXP.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavTask.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsAgent.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsnetsvr.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ScanFrm.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CCenter.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kavstart.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kissvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfw32.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfwsvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kswebshield.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kwatch.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kmailmon.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ekrn.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcagent.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcmscsvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McNASvc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcods.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McProxy.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcshield.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsysmon.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcvsshld.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpfSrv.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McSACore.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msksrver.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sched.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avmailc.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avwebgrd.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgnt.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sched.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avcenter.exe]
    • "debugger" = "ntsd -d"

The modified Registry entries will prevent specific files from being executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.