Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.FY.1
Date discovered:12/11/2007
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:229.621 Bytes
MD5 checksum:ffeeecb3ab1bb248968a89c75671c792
IVDF version:7.00.00.200 - Monday, November 12, 2007

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Autorun.worm.g virus
   •  Kaspersky: Worm.Win32.AutoRun.ek
   •  F-Secure: Worm.Win32.AutoRun.ek
   •  Sophos: W32/Imaut-A
   •  Grisoft: Worm/Autoit.HL
   •  Eset: Win32/Autoit.BD worm
   •  Bitdefender: Trojan.Autorun.ND


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Access to floppy disk
   • Drops a file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\smss.exe
   • %WINDIR%\killer.exe
   • %WINDIR%\Funny UST Scandal.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\lsass.exe
   • %drive%\smss.exe
   • %drive%\Funny UST Scandal.avi.exe



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     open = smss.exe
     shell\Open\Command=smss.exe
     shell\Open\Default=1
     shell\Explore\Command=smss.exe
     shell\Autoplay\Command=smss.exe
     

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Runonce="%WINDIR%\smss.exe"



The following registry keys are added in order to load the service after reboot:

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • Shell="explorer.exe, killer.exe"



The following registry keys are added:

– [HKCR\.vbs]
   • (Default)="exefile" (Hidden)

– [HKCR\.reg]
   • (Default)="exefile" (Hidden)



The following registry key is changed:

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   Old value:
   • CheckedValue=dword:00000001
   New value:
   • CheckedValue=dword:00000000

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Alexander Neth on Monday, July 14, 2008
Description updated by Alexander Neth on Monday, July 14, 2008

Back . . . .