What We Do
- Your Needs
  Security Goals
  INDUSTRIES & SECTORS
  COMPANY SIZE
  PRODUCT FEATURES
  CASE STUDIES
  - Education
  - Financial
  - Government
  - Healthcare
  - Technology
  - Other
- Why Sophos
  Company Overview
  Our People
  INNOVATIVE TECHNOLOGY
  ALERT SERVICES
- Products
  Product Features
  Product Families
  - Unified (formerly Astaro)
  - Endpoint
  - Network
  - Encryption
  - Web
  - Email
  - Mobile
  Complete Security
  - All-in-One Security Suites
  PRODUCTS BY NAME
  - Products A-Z
  Free Tools
  Next Steps
  RESOURCES
Getting Answers
- Support
  FIND AN ANSWER
  Support by Product
  - > View all
  Maintain your Product
  Hire an Expert
  WHAT'S POPULAR
- Threat Center
  THREAT ANALYSIS
  THREAT STATISTICS
  WHAT'S POPULAR
  Threat Definitions
  - A-Z of Threats
  THREAT MONITORING
What's Happening
- Security News/Trends
  SECURITY HUBS
  LIBRARY
  Whats Popular
  WHAT'S NEW
  Community
  - Naked Security
  - Connect with Us
  IT SECURITY TRAINING
  ANATOMY OF AN ATTACK
- Partners
  RESELLER PARTNERS
  - Overview
  - Why Partner with Sophos?
  Managed Service Providers
  - Overview
  SYSTEM INTEGRATORS
  - Overview
  OEM and Technology
  WHAT'S POPULAR

HPsus/Autorun-E

Category:	Suspicious Behavior and Files	Protection available since:	13 Apr 2012 19:05:55 (GMT)
Type:	Suspicious file	Last Updated:	13 Apr 2012 19:05:55 (GMT)

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of HPsus/Autorun-E include:

Example 1

File Information

Size: 37K
SHA-1: 181cfc3ac97b6ea0b8fe25e184050ff77afc5d0c
MD5: c99bb1407282f36a20fd4a404e52606f
CRC-32: bd3a68c4
File type: application/x-ms-dos-executable
First seen: 2012-03-07

Runtime Analysis

Copies Itself To

C:\WINDOWS\sadrive32.exe

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Microsoft Driver Setup
C:\WINDOWS\sadrive32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Driver Setup
C:\WINDOWS\sadrive32.exe

Example 2

File Information

Size: 30K
SHA-1: 3f8372062838d82e90c3a585c469ff23c92c986a
MD5: ea28fa5415f881f7bdfd02228d7d37c0
CRC-32: a8ad7662
File type: application/x-ms-dos-executable
First seen: 2012-02-20

Other vendor detection

Kaspersky: Worm.Win32.Ngrbot.kpb

Runtime Analysis

Copies Itself To

F:/RECYCLER/R-1-5-21-1482476501-1644491937-682003330-1013/ecleaner.exe

Dropped Files

F:/RECYCLER/R-1-5-21-1482476501-1644491937-682003330-1013/Desktop.ini

Modified Files

C:\RECYCLER
- Set the readonly flag

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman
c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\ecleaner.exe

DNS Requests

d.homler.net

Example 3

File Information

Size: 23K
SHA-1: 67400919ed7157aefb48d8b0825695e9bcfd5d98
MD5: f19bac38327ced646caf00385812400b
CRC-32: 72e2794a
File type: application/x-ms-dos-executable
First seen: 2012-02-13

Other vendor detection

Kaspersky: Backdoor.Win32.Floder.gqe

Runtime Analysis

Copies Itself To

F:/RECYCLER/R-1-5-21-1482476501-1644491937-682003330-1013/ecleaner.exe

Dropped Files

F:/RECYCLER/R-1-5-21-1482476501-1644491937-682003330-1013/Desktop.ini

Modified Files

C:\RECYCLER
- Set the readonly flag

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman
c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\ecleaner.exe

DNS Requests

d.homler.net

Try Sophos products for free
Download now