Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Autorun.ZH.45
Date discovered:28/02/2011
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:104.960 Bytes
MD5 checksum:03A024EF5CF397060981B18BAC6C5941
VDF version:7.10.09.33
IVDF version:7.11.03.242 - Monday, February 28, 2011

 General Method of propagation:
   • Autorun feature


Aliases:
   •  TrendMicro: TROJ_SPNR.08FE11
   •  Sophos: Mal/FakeAV-FS
   •  Microsoft: Worm:Win32/Autorun.ZH


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\Microsoft\svchost.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Startup"="%APPDATA%\Microsoft\svchost.exe"



The following registry key is added:

– [HKCU\Software\D,,]
   • "FileNameActual"="%executed file%"

 Backdoor Contact server:
The following:
   • **********.dyndns-server.com:3086

As a result it may send information and remote control could be provided.

 Miscellaneous Mutex:
It creates the following Mutex:
   • LS3JTPV37R


Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ilie on Monday, September 5, 2011
Description updated by Andrei Ilie on Monday, September 5, 2011

Back . . . .