W32/AutoRun-AVL

Category: Viruses and Spyware Protection available since:22 Nov 2009 14:50:08 (GMT)
Type: Win32 worm Last Updated:22 Nov 2009 14:50:08 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/AutoRun-AVL is a worm for the Windows platform.

W32/AutoRun-AVL spreads by copying itself to removable devices such as USB drives and creates an autorun.inf file in the root of the removable device in an attempt to run itself when the the device is loaded.

When W32/AutoRun-AVL is run the following files are created:

<System>\drivers\kernel86x.sys (detected separately as PUA "TCP-Z TCP Patch and Monitor")
<System>\wmispm.exe
<Temp>\melt.bat
<removeable device>\autorun.inf
<removeable device>\RECDIR-5902
<removeable device>\RECDIR-5902\data.sys

(files and folders may have the hidden, system and read-only attributes set).

The following registry entry is set to run wmispm.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger
wmispm.exe

The following registry entry is set to run the legitimate Windows file ctfmon.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
ctfmon.exe

The file kernel86x.sys is registered as a new service named "kernel86x", with a display name of "Kernel Loader Service". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\kernel86x

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
<System>\wmispm.exe
<System>\wmispm.exe:*:Enabled:Windows Live

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\wmispm.exe
<System>\wmispm.exe:*:Enabled:Windows Live

W32/AutoRun-AVL sets the following registry entries, disabling the automatic startup of the Wscsvc service:

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
0x00000004

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
<System>\wmispm.exe
DisableNXShowUI

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
0x00000001

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
CheckedValue
0x00000001

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000002

HKLM\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
0x00000001

KLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
0x00000001

HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
Trace Level
<no value>

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
ctfmon.exe
ctfmon.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
ctfmon.exe
ctfmon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PropSummary
Advanced
0x00000000

W32/AutoRun-AVL may delete files in the Windows system folder with extensions of SCR and COM and may modify the HOSTS file located at <System>\drivers\etc\hosts.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy