Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Autorun.chwz
Date discovered:29/04/2011
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
File size:90.112 Bytes
MD5 checksum:94A72F8B07B15A0CE37302D6B1205856
VDF version:7.11.07.83 - Friday, April 29, 2011
IVDF version:7.11.07.83 - Friday, April 29, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/YahLover.worm
   •  Kaspersky: Worm.Win32.AutoRun.chwz
   •  TrendMicro: WORM_AUTORUN.CON
     Microsoft: VirTool:Win32/CeeInject.gen!ED
   •  Panda: W32/Ircbot.DAC.worm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
    Windows Vista
    Windows 7


Side effects:
   • Drops a file
   • Registry modification

 Files It copies itself to the following location:
   • %APPDATA%\windows32.exe

 Registry To each registry key one of the values is added in order to run the processes after reboot:

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry keys are added in order to load the services after reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry keys are added:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion]
   • "Start Page"="http://redirecturls.**********"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
   • "MicrosoftWindows"="%APPDATA%\windows32.exe"



The following registry key is changed:

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Wednesday, July 13, 2011
Description updated by Andrei Ilie on Monday, July 18, 2011

Back . . . .