W32/Autoit-IZ

Category: Viruses and Spyware Protection available since:09 Feb 2010 12:21:27 (GMT)
Type: Win32 worm Last Updated:09 Feb 2010 12:21:27 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Autoit-IZ is a worm for the Windows platform.

W32/Autoit-IZ includes functionality to:

 - steal confidential information
 - access the internet and communicate with a remote server via HTTP

W32/Autoit-IZ communicates via HTTP with the following locations:

   advgoogle . t35 . com

When W32/Autoit-IZ is installed the following files are created:

<System>\SSVICHOSST.exe
<Windows>\SSVICHOSST.exe
<System>\autorun.ini
<System\setting.ini

The file autorun.ini is detected as W32/AutoIt-IL.

The following registry entry is created to run SSVICHOSST.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\SSVICHOSST.exe

The following registry entry is changed to run SSVICHOSST.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SSVICHOSST.exe

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
GlobalUserOffline
0x00000000

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy