Full description

Virus:	DR/Autoit.I.1
Date discovered:	21/09/2007
Type:	Dropper
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	215.456 Bytes
MD5 checksum:	69718103c21fd0e647d47c364758f215
IVDF version:	6.39.01.161 - Friday, September 21, 2007

General Method of propagation:
   • Mapped network drives

Aliases:
   • Kaspersky: Worm.Win32.AutoIt.i
   • F-Secure: Worm.Win32.AutoIt.i
   • Sophos: W32/SillyFDC-AP
   • Eset: Win32/Autoit.AZ worm
   • Bitdefender: Win32.Worm.Autoit.P

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Drops a file
   • Lowers security settings
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\msmsgs.exe

– %WINDIR%\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     open=system.exe
     shellexecute=system.exe
     shell\Explore\command=system.exe
     shell\Open\command=system.exe
     shell=Explore

It tries to download some files:

– The location is the following:
   • http://ppt.th.gs/**********/bad1.exe
It is saved on the local hard drive under: %SYSDIR%\bad1.exe At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://ppt.th.gs/**********/bad2.exe
It is saved on the local hard drive under: %SYSDIR%\bad2.exe At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://ppt.th.gs/**********/bad3.exe
It is saved on the local hard drive under: %SYSDIR%\bad3.exe At the time of writing this file was not online for further investigation.

Registry One of the following values is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • SYS1="%SYSDIR%\system.exe"
   • SYS2="%SYSDIR%\bad1.exe"
   • SYS3="%SYSDIR%\bad2.exe"
   • SYS4="%SYSDIR%\bad3.exe"
   • Msmsgs="%SYSDIR%\Msmsgs.exe"

The following registry keys are changed:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   New value:
   • SuperHidden=dword:00000000
   • ShowSuperHidden=dword:00000000
   • HideFileExt=dword:00000001
   • Hidden=dword:00000002

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
   New value:
   • DisableTaskMgr=dword:00000001
   • DisableRegistryTools=dword:00000001

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   New value:
   • NoDriveTypeAutoRun=dword:0000005b
   • NoFind=dword:00000001
   • NoFolderOptions=dword:00000001

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Alexander Neth on Friday, September 5, 2008
Description updated by Alexander Neth on Friday, September 5, 2008

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools