W32/AutoRun-BHE

Category: Viruses and Spyware Protection available since:02 Sep 2010 02:37:47 (GMT)
Type: Win32 worm Last Updated:02 Sep 2010 02:37:47 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/AutoRun-BHE exhibits the following characteristics:

File Information

Size
281K
SHA-1
519b6819c8c98110c46425a9ffb3bd06364dcb83
MD5
47d5ea1338cc222038abf8e5da8bd829
CRC-32
4d34c738
File type
application/x-ms-dos-executable
First seen
2010-09-02

Other vendor detection

Avira
TR/Crypt.XPACK.Gen
Kaspersky
Worm.Win32.AutoRun.amnl

Runtime Analysis

Registry Keys Created
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_login.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfwiz.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg32.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Security Center\Svc
    FirewallDisableNotify
    0x00000001
  • HKCR\exefile
    NeverShowExt
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
    Debugger
    rundll32.exe
  • HKCR\jpegfile
    NeverShowExt
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npcsvc32.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSCVIHOST.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npflgutl.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtpsvc.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoa.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ise32.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_tray.exe
    Debugger
    cmd.exe /c del /f /q
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    PC?
    c:\Documents and Settings\test user\Application Data\Java\?shimgvw?.exe
  • HKLM\SOFTWARE\Microsoft\Security Center
    AntiVirusDisableNotify
    0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nbrowser.exe
    Debugger
    cmd.exe /c del /f /q
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA
    0x00000000
Registry Keys Modified
  • HKCU\Control Panel\Desktop
    HungAppTimeout
    400
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    SuperHidden
    0x00000000
  • HKCR\jpegfile\DefaultIcon
    (Default)
    C:\Documents and Settings\support\Application Data\Java\?shimgvw?.exe,0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
    UncheckedValue
    0x00000001
  • HKLM\SYSTEM\CurrentControlSet\Control
    WaitToKillServiceTimeout
    2000
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    UncheckedValue
    0x00000000
Processes Created
  • c:\documents and settings\support\application data\java\\x03ddshimgvw\x0285.exe
  • c:\documents and settings\support\application data\java\\x07d9jview\x029a.exe
  • c:\windows\system32\rundll32.exe
DNS Requests
  • www.google.com

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy