Win32/AutoRun.VB.BDM [Threat Name] go to Threat

Win32/AutoRun.VB.BDM [Threat Variant Name]

Category worm
Size 331776 B
Detection created Nov 27, 2013
Detection database version 9103
Aliases Trojan.Win32.VB.ckac (Kaspersky)
  Trojan:Win32/Otran (Microsoft)
  RDN/PWS-Banker!cw (McAfee)
Short description

Win32/AutoRun.VB.BDM is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm copies itself into the following location:

  • %windir%\­%variable1%.exe

The worm creates the following files:

  • %windir%\­%variable2%.exe (45056 B, Win32/AutoRun.VB.BDM)
  • %windir%\­%variable3%.exe (36864 B, Win32/AutoRun.VB.BDM)

The worm executes the following files:

  • %windir%\­%variable1%.exe
  • %windir%\­%variable2%.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­­Software\­­Microsoft\­­Windows\­­CurrentVersion\­­Run]
    • %variable4% = %variable1%.exe
  • [HKEY_LOCAL_MACHINE\­­Software\­­Microsoft\­­Windows NT\­­CurrentVersion\­Winlogon]
    • "Shell" = Explorer.exe , %variable3%.exe

A string with variable content is used instead of %variable1-4% .

The worm keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­GenericHost\­Policy]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Mystatus\­status]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­hero44\­status]
Spreading on removable media

The worm copies itself into the root folders of removable drives using one of the following file names:

  • %variable%.exe
  • Persian guy vs Chinese girl - YouTube.avi.exe

A string with variable content is used instead of %variable% .

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/AutoRun.VB.BDM is a worm that steals sensitive information.

The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • logged keystrokes
  • keywords entered into search engines
Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • send IM messages
  • manipulate application windows
  • block keyboard and mouse input
  • terminate running processes
  • various Registry operations
  • various file system operations
  • visit a specific website
  • change the home page of web browser
  • log keystrokes
  • send gathered information
  • shut down/restart the computer
  • remove itself from the infected computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.