Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Autorun.acl
Date discovered:21/12/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low
Static file:Yes
File size:421.888 Bytes
MD5 checksum:cddba3bc99337e6add6b7f93649d3f55
IVDF version:7.00.01.136 - Friday, December 21, 2007

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: Generic VB.b trojan
   •  Sophos: W32/Autorun-H
   •  Panda: W32/DiskKnight.A
   •  Eset: Win32/AutoRun.CH
   •  Bitdefender: Win32.Worm.DiskKnight.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\Knight.exe
   • %drive%\Knight.exe



The following files are created:

%WINDIR%\recover.reg This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download a file:

– The location is the following:
   • http://www.ariful.esmartweb.com/**********




It tries to executes the following file:

– Filename:
   • "%WINDIR%\Knight.exe" protect

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Disk Knight"="%WINDIR%\Knight.exe"



The following registry key is changed:

– [HKLM\SOFTWARE\Classes\exefile\shell\open\command]
   New value:
   • "@"=""%1" %*"

 Miscellaneous String:
Furthermore it contains the following string:
   • Disk Knight is a supreme tool for protection against Mobile Disk Viruses. When Enabled, it bans all execution from mobile disk. Program can only be executed from mobile disk with your confirmation. Press F11 to Enable/Disable Protection

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Petre Galan on Tuesday, April 13, 2010
Description updated by Petre Galan on Tuesday, April 13, 2010

Back . . . .