Virus:Worm/Autorun.gas.1
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:37.382 Bytes
MD5 checksum:ae2ed401506cee91995e322124454c31
VDF version:7.01.04.86
IVDF version:7.01.04.89 - Sunday, June 14, 2009

 General Aliases:
   •  Mcafee: Generic VB.i
   •  Kaspersky: Worm.Win32.AutoRun.gas
   •  F-Secure: Worm.Win32.AutoRun.gas
   •  Sophos: Mal/Generic-A
   •  Eset: Win32/Injector.QH
   •  Bitdefender: Trojan.VB.NZJ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Registry modification

 Files It copies itself to the following location:
   • C:\NEXT\FILES\NEXT.exe




It tries to download some files:

– The location is the following:
   • http://redex.freehostia.com/*****
It is saved on the local hard drive under: %home%\yzxxsx5.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.gen


– The location is the following:
   • http://redex.freehostia.com/*****
It is saved on the local hard drive under: %home%\Update.exe Detected as: TR/Dropper.gen

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {67KLN5J0-4OPM-33WE-AAX5-24KC2A3453431}]
   • "StubPath"="c:\NEXT\FILES\NEXT.exe"

 Injection – It injects itself into a process.

    Process name:
   • explorer.exe


 Miscellaneous Mutex:
It creates the following Mutex:
   • NxT_x_1

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Irina Diaconescu on Friday, July 3, 2009
Description updated by Andrei Gherman on Tuesday, July 7, 2009

Back . . . .