Win32/AutoRun.Spy.Agent.E [Threat Name] go to Threat

Win32/AutoRun.Spy.Agent.E [Threat Variant Name]

Category worm
Size 191488 B
Detection created Sep 21, 2009
Detection database version 10510
Aliases Worm.Win32.AutoRun.fsh (Kaspersky)
  Worm:Win32/Autorun.LH (Microsoft)
  W32.SillyFDC (Symantec)
Short description

Win32/AutoRun.Spy.Agent.E is a worm that spreads via shared folders and removable media.

Installation

The worm copies itself to the following location:

  • %appdata%\­servicehost.exe (191488 B)

The worm creates the following file:

  • %appdata%\­servicehost.dll (119296 B)

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Windows\­WxS\­_restore\­value]
    • "SZKRNL" = %random1%
    • "SZBIN" = %random2%
    • "SZSIP" = %random3%
    • "22SC" = %random4%
    • "SZRKY" = %random5%
    • "SZRKYPTH" = %random6%

A string with variable content is used instead of %random1-6% .


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Service Host" = "%appdata%\­servicehost.exe"
Spreading on removable media

The worm copies itself into existing folders of removable drives.


The following filename is used:

  • %drive%\­recycler\­S-1-5-21-1060284298-507921405-725345543-1009\­autorun.exe (191488 B)

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • operating system version
  • computer name

The worm can send the information to a remote machine.

Other information

The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). The worm contains a list of (4) URLs.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via MSN network
  • update itself to a newer version
  • spread via shared folders and P2P networks

Please enable Javascript to ensure correct displaying of this content and refresh this page.