Summary
W32/AutoRun-AOA is a worm for the Windows platform.
Detailed analysis
Example behaviours of W32/AutoRun-AOA follow:
Example 1
Other vendor detection
- Avira
- Worm/Autorun.aaer
- Kaspersky
- Worm.Win32.AutoRun.fnc
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\system3_.exe
- C:\WINDOWS\system3_.exe
Dropped Files
- C:\WINDOWS\system32\autorun.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger
- C:\WINDOWS\system32\system3_.exe
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe system3_.exe
- HKCU\Software\Microsoft\Internet Explorer\Main
- Start Page
- http://www.mydreamworld.50webs.com
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
- Search Page
- http://www.mydreamworld.50webs.com
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
Example 2
Other vendor detection
- Avira
- TR/Crypt.CFI.Gen
- Kaspersky
- Worm.Win32.AutoRun.fnc
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\system3_.exe
- C:\WINDOWS\system3_.exe
Dropped Files
- C:\WINDOWS\system32\autorun.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger
- C:\WINDOWS\system32\system3_.exe
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe system3_.exe
- HKCU\Software\Microsoft\Internet Explorer\Main
- Start Page
- http://www.advgoogle.blogdpot.com
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
- Search Page
- http://www.advgoogle.blogdpot.com
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://h1.ripway.com/asdb000/setting.ini
- http://h1.ripway.com/asdb002/setting.ini
- http://www.balu000.0catch.com/set/setting.ini
DNS Requests
- h1.ripway.com
- www.balu000.0catch.com
Example 3
Other vendor detection
- Avira
- TR/Crypt.CFI.Gen
- Kaspersky
- Worm.Win32.AutoRun.fnc
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\system3_.exe
- C:\WINDOWS\system3_.exe
Dropped Files
- C:\WINDOWS\system32\autorun.ini
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NofolderOptions
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger
- C:\WINDOWS\system32\system3_.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours
- 0x00000000
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell
- Explorer.exe system3_.exe
- HKCU\Software\Microsoft\Internet Explorer\Main
- Start Page
- http://www.mydreamworld.50webs.com
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
- Search Page
- http://www.mydreamworld.50webs.com
Processes Created
- c:\windows\system32\at.exe
- c:\windows\system32\cmd.exe
HTTP Requests
- http://h1.ripway.com/asdb000/setting.ini
- http://h1.ripway.com/asdb002/setting.ini
- http://h1.ripway.com/asdb004/setting.ini
- http://www.balu000.0catch.com/set/setting.ini
- http://www.balu001.0catch.com/set/setting.ini
DNS Requests
- h1.ripway.com
- www.balu000.0catch.com
- www.balu001.0catch.com