W32/AutoRun-AOG is a worm for the Windows platform.
When run W32/AutoRun-AOG copies itself to:
<Windows>\MsRun32.exe
<System>\MsRun32.exe
and creates the file <System>\autorun.ini - detected as Mal/AutoInf-A
W32/AutoRun-AOG spreads via removable shared drives by copying itself as <Root>\MsRun32.exe and creating the file <Root>\autorun.inf (detected as Mal/AutoInf-A) which is designed to run the worm when the infected removable drive is connected to an uninfected computer.
W32/AutoRun-AOG also attempts to spread via network shares by enumerating existing shared network drives on the computer and copying itself as True_Love.exe.
W32/AutoRun-AOG also sends messages via Yahoo! Messenger to other members on the user's list. The message contents consist of any of the following messages:
"see this comedy joke click on this link" <URL>
"Ha ha ha click on link to laugh ..." <URL>
"what a joke ......" <URL>
"nice one see this .... " <URL>
"what a joke .....click to see " <URL>
"what a joke ...... " <URL>
"nice to listen .........." <URL>
"what is this ? ......see " <URL>
"i am busy you click on a link and see ..." <URL>
"what is this ? ......see " <URL>
The URL contains a weblink that used to host malware. It has since been removed.
W32/AutoRun-AOG also terminates the following processes:
"System Configuration"
"Registry"
"Windows Task"
"cmd.exe"
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
shared
\True_Love.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSN Messengger
<System>\MsRun32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe MsRun32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0