W32/AutoRun-AVH

Category: Viruses and Spyware Protection available since:20 Nov 2009 06:35:18 (GMT)
Type: Win32 worm Last Updated:20 Nov 2009 06:35:18 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/AutoRun-AVH is a worm for the Windows platform.

W32/AutoRun-AVH includes functionality to:

 - copy iteslf to the <WINDOWS> folder
 - run automatically
 - copy itself to the <System> folder
 - steal confidential information

When W32/AutoRun-AVH is installed the following files are created:

<Startup>\(Empty).LNK (detected as W32/AutoRun-AVH)
<System>\gHost.exe (detected as W32/AutoRun-AVH)
<Windows>\inf\Autoplay.inF (detected as W32/Autorun-AOC)
<Windows>\KHATARNAKH.exe (detected as W32/AutoRun-AVH)
<System>\KHATRA.exe (detected as W32/AutoRun-AVH)
<Root>\KHATRA.exe (detected as W32/AutoRun-AVH)
<Windows>\Xplorer.exe (detected as W32/AutoRun-AVH)

W32/AutoRun-AVH spreads via removable shared drives.

The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoControlPanel
1
HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
Internet Exploiter

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
G_Host
<System>\gHost.exe /Reproduce

Registry entries are created under:

HKLM\SOFTWARE\KHATRA\

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy