Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:07/02/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
File size:941.168 Bytes
MD5 checksum:8681D07E3B3E24794459D8117A2EFEC8
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Symantec: W32.Harakit
   •  Kaspersky: Worm.Win32.AutoIt.xl
   •  TrendMicro: WORM_UTOTI.CON
   •  Bitdefender: Win32.Worm.AutoIT.FW
   •  Microsoft: Worm:Win32/Renocide

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops a file
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\csrcs.exe

The following files are created:

%SYSDIR%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\suicide.bat This batch file is used to delete a file.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   • "csrcs"="%SYSDIR%\csrcs.exe"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   • "GlobalUserOffline"=dword:00000000

 Backdoor Contact server:
All of the following:
   • 67.215.77.**********:4600
   • 92.241.169.**********:4700

 Miscellaneous  Checks for an internet connection by contacting the following web site:

Description inserted by Andrei Ilie on Tuesday, July 12, 2011
Description updated by Andrei Ilie on Wednesday, July 13, 2011

Back . . . .