Win32/Autoit.AG [Threat Name] go to Threat

Win32/Autoit.AG [Threat Variant Name]

Category trojan,worm
Size 623995 B
Aliases (Kaspersky)
  W32/Yahlover.worm.virus (McAfee)
  Worm:Win32/Nuqel.Z (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/Autoit.AG is a worm that spreads via shared folders and removable media. The file is run-time compressed using ASPack .


When executed, the worm copies itself in some of the the following locations:

  • %windir%\­regsvr.exe
  • %system%\­svchost .exe
  • %appdata%\­regsvr.exe

The worm creates the following files:

  • %system%\­setup.ini
  • %appdata%\­setup.ini

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe regsvr.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Msn Messsenger" = "%malwarefilepath%"

The worm schedules a task that causes the following file to be executed repeatedly:

  • %system%\­svchost .exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Yahoo Messsenger" = "%appdata%\­support\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NofolderOptions" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 0
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following names:

  • New Folder .exe
  • regsvr.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm copies itself into existing folders of removable drives.

The name of the file may be based on the name of an existing file or folder.

The filename has the following extension: ".exe"

Spreading via shared folders

The worm tries to copy itself to the available shared network folders.

The following names are used:

  • New Folder .exe
  • regsvr.exe

The name of the file may be based on the name of an existing file or folder.

The extension of the file is ".exe" .

The following file is dropped in the same folder:

  • autorun.inf
Spreading via IM networks

The worm sends links to Yahoo! Messenger users.

The message depends entirely on data the worm downloads from the Internet.

The messages may contain any of the following texts:

  • cyber cafe scandal visit %malwareurl%
  • World Business news broadcaster %malwareurl%
  • Regular monthly income by wearing your shorts at the comfort of your home for more info %malwareurl%
  • Nfs carbon download %malwareurl%
  • Latest video shot of infosys girl %malwareurl%
  • stream Video of Nayanthara and Simbu %malwareurl%
  • Aishwarya Rai videos %malwareurl%
  • Free mobile games %malwareurl%
  • Nse going to crash for more %malwareurl%

The URL points to malicious content related to Win32/Autoit.AG .

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via IM networks

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Bkav2006
  • System Configuration
  • Registry
  • Windows mask
  • [FireLion]

The following programs are terminated:

  • game_y.exe
  • cmder.exe

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­BkavFw]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­IEProtection]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­Msn Messsenger]

The worm may delete the following files:

  • %system%\­setup.ini
  • %system%\­regsvr.exe
  • %system%\­winhelp.exe
  • %windows%\­regsvr.exe
  • %windows%\­winhelp.ini

The worm moves the following files (source, destination):

  • %system%\­rundll.exe, %system%\­delete.exe

The worm may execute the following commands:

  • cmd.exe /C AT /delete /yes
  • cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %system%\­svchost .exe

The worm may perform operating system restart.

Please enable Javascript to ensure correct displaying of this content and refresh this page.