W32/Autoit-CV is a worm. W32/Autoit-CV spreads via usb drive by creating and replacing existing executable on the USB drive with a copy of itself and creating a related autorun.inf which is detected as W32/Autoit-BP.
When the application is installed the following files are created:
<System>\KHATRA.exe
<Windows>\system\gHost.exe
<Windows>\inf\Autoplay.inF
<Windows>\Tasks\At1.job
<Windows>\Xplorer.exe
<Windows>\KHATARNAKH.exe
\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
The following registry entries are created to run KHATRA.exe and Xplorer.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xplorer = C:\WINDOWS\Xplorer.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\G_Host = "C:\WINDOWS\System\gHost.exe" /Reproduce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load = C:\WINDOWS\system32\KHATRA.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = C:\WINDOWS\system32\KHATRA.exe
Additional registry entries are created under:
HKLM\SOFTWARE\KHATRA