Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.czg
Date discovered:27/03/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:13.824 Bytes
MD5 checksum:d7de4f1f1f388613616ab2f68abeaa62
IVDF version:7.00.03.32 - Sunday, March 16, 2008

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: BackDoor-ACA.b
   •  Kaspersky: Worm.Win32.AutoRun.czg
   •  F-Secure: Worm.Win32.AutoRun.czg
   •  Grisoft: Flooder.EZD
   •  Eset: Win32/AutoRun.IX
   •  Bitdefender: Trojan.Autorun.PK


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %recycle bin%\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
   • %drive%:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe



The following files are created:

Non malicious file:
   • %recycle
      bin%
\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\Software\Microsoft\Active Setup\Installed Components\
   {08B0E5C0-4FCB-11CF-AAX5-81C01C608512}]
   • StubPath="%recycle bin%\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: tassweq.com
Port: 7000
Server password: trb123trb
Channel: #hisham#
Nickname: %random character string%


 Furthermore it has the ability to perform actions such as:
     connect to IRC server
    • Join IRC channel
    • Perform DDoS attack

 Injection It injects itself as a remote thread into a process.

    Process name:
   • EXPLORER.EXE

   If successful, the malware process terminates while the injected part remains active.

Description inserted by Andrei Gherman on Wednesday, August 6, 2008
Description updated by Andrei Gherman on Wednesday, August 6, 2008

Back . . . .