Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Autorun.qfe
Date discovered:30/06/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:262.144 Bytes
MD5 checksum:a477ca82726e9998a5914cff90783f57
VDF version:7.10.03.202
IVDF version:7.10.08.233 - Wednesday, June 30, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.SillyFDC
   •  Mcafee: W32/Autorun.worm.bx
   •  Kaspersky: Worm.Win32.AutoRun.bqpq
   •  Sophos: Mal/Emogen-Y


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Drops files
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %PROGRAM FILES%\Common Files\svchost.exe



The following files are created:

– %tempdir%\xx%number% This is a non malicious text file with the following content:
   • Retrieved system specific informations.

%PROGRAM FILES%\Common Files\log\%computer name%\%current time%.cab.bak
%WINDIR%\drive.ini
%WINDIR%\log\%current time%.cab

 Registry The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\Hidden\SHOWALL]
   • "CheckedValue"="dword:00000001"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\HideFileExt]
   • "UncheckedValue"="dword:00000000"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Userinit"="%SYSDIR%\userinit.exe,%PROGRAM FILES%\Common Files\svchost.exe -s"

 Backdoor Sends information about:
    • CPU speed
    • CPU type
    • Hardware
    • IP address
    • MAC address
    • Information about the network
    • Platform ID
    • System directory
    • System time
    • Windows directory
    • Information about the Windows operating system

 Miscellaneous Trusted file pretending:
Its process pretends to be the following trusted process: svchost.exe

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ilie on Wednesday, February 16, 2011
Description updated by Andrei Ilie on Friday, February 18, 2011

Back . . . .