Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.cxl
Date discovered:08/05/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:217.088 Bytes
MD5 checksum:1d6eccaee7277a8e7b4e9ede1cf8eccc
VDF version:7.00.04.17
IVDF version:7.00.04.18 - Thursday, May 8, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Autorun.worm.ct virus
   •  Kaspersky: Worm.Win32.AutoRun.cxl
   •  F-Secure: Worm.Win32.AutoRun.cxl
   •  Sophos: W32/Shahrokh-A
   •  Eset: Win32/AutoRun.MC worm
   •  Bitdefender: Trojan.Autorun.SP


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\explorer.exe
   • %SYSDIR%\Service.exe
   • %drive%\autorun.exe



The following files are created:

– Non malicious file:
   • %drive%\autorun.inf

%SYSDIR%\tmp.exe Further investigation pointed out that this file is malware, too. Detected as: Worm/Autorun.cxl

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Network Services"="%SYSDIR%\Service.exe"



The following registry keys are changed:

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"=dword:00000002

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
   New value:
   • "NoFolderOptions"=dword:00000001

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   New value:
   • "RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Disable Regedit and Task Manager:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "DisableTaskMgr"=dword:00000001

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Alexandru Dinu on Friday, May 23, 2008
Description updated by Alexandru Dinu on Friday, May 23, 2008

Back . . . .