W32/AutoRun-NZ is a worm for the Windows platform.
When run W32/AutoRun-NZ copies itself to
<System>\vmmon.exe
<System>\wsntfy.exe
and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\\userinit.exe,<System>\vmmon.exe,
HKCU\Software\Microsoft\Windows NT\CurrentVersion
(default)
<random characters>
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Microsoft Enterprise Manager
<System>\vmmon.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F3Q02IS2-6ANW-8U8F-8M0X-84FTUA1U75PS}
StubPath
<System>\vmmon.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Querant
<System>\wsntfy.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\wsntfy.exe
<System>\wsntfy.exe:*:Enabled:Explorer
W32/AutoRun-NZ spreads via removable shared drives by copying itself to <Root>\Recycler\<UserId>\volume.exe and creates the file <Root>\autorun.inf (detected as W32/HostInf-A).
W32/AutoRun-NZ also spreads via emailing itself as a zip attachment.
Subject lines include:
You've recieved A Hallmark E-Card!
miss Indonesian
Cek This
hello
xxx
Japannes Porn
With the following Message bodies:
"You have recieved A Hallmark E-Card.
You have recieved a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy."
"Hot ..."
"please read again what i have written to you"
"Fucking With Me :D"
"hey Indonesian porn
Agnes Monica pic's"
File attachments have the names:
file <random number>.zip
nadine <random number>.zip
Miyabi <random number>.zip
hell <random number>.zip
Need you <random number>.zip
doc <random number>.zip
this file <random number>.zip
video <random number>.zip
postcard.zip