Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Autorun.S
Date discovered:21/08/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium to high
Static file:Yes
File size:94.208 Bytes
MD5 checksum:75691359d5c9e0e7e09ce6cd1802bc31
IVDF version:6.39.01.26 - Tuesday, August 21, 2007

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: W32/Autorun.worm.i.gen
   •  Kaspersky: Worm.Win32.AutoRun.wj
   •  F-Secure: Worm.Win32.AutoRun.wj
   •  Sophos: W32/SillyFDC-BJ
   •  Eset: Win32/AutoRun.LG
   •  Bitdefender: Trojan.Autorun.VN


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:



Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following locations:
   • C:\Documents and Settings\LocalService\services.exe
   • %SYSDIR%\drivers\smss.exe
   • %WINDIR%\winlogon.exe
   • %drive%:\RECYCLER.exe
   • %drive%:\Gwen(ISU) Scandal.exe
   • %drive%:\Sex Video.exe
   • %drive%:\zeluR maeTCP.exe
   • %all directories%\%current directory name%.exe



It renames the following files:

      %SYSDIR%\hal.dll into FuckUHal
      %WINDIR%\explorer.exe into FuckU
      %SYSDIR%\dllcache into FuckU
      %SYSDIR%\shell32.dll into FuckU1
      %SYSDIR%\ntoskrnl.dll into FuckU2



The following files are created:

%drive%:\Autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to executes the following file:

Filename:
   • %PROGRAM FILES%\Windows Media Player\wmplayer.exe

 Registry The following registry key is added in order to run the process after reboot:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • winlogon = %WINDIR%\winlogon.exe



The following registry key is changed:

Various Explorer settings:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • HideFileExt = 1
   • SuperHidden = 1
   • ShowSuperHidden = 0

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Andrei Gherman on Wednesday, August 6, 2008
Description updated by Andrei Gherman on Wednesday, August 6, 2008

Back . . . .