W32/Autorun-APL

Category: Viruses and Spyware Protection available since:21 Aug 2009 14:26:20 (GMT)
Type: Win32 worm Last Updated:21 Aug 2009 14:26:20 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Autorun-APL is a worm for the Windows platform.

W32/Autorun-APL spreads to other network computers.

When first run W32/Autorun-APL copies itself to:

<Root>\Classified.exe
<Root>\Documente und Einstellungen.exe
<Root>\Documenti e Impostazioni.exe
<Root>\Documents and Settings.000.exe
<Root>\Documents and Settings.exe
<User>\Application Data\Lambda\DirLock.exe
<User>\Application Data\Microsoft\KBDriver\kbsys.exe
<User>\Documents\Classified.exe
<User>\Documents\My Music.exe
<User>\Documents\My Pictures.exe
<User>\Documents\Read1st.exe
<Startup>\Classified.exe
<Temp>\8cbzwf-88co0f-4v4bhj-rtwx6w-ahfh7c\2.exe
<Temp>\j7b6re-j4bvve-fq3jci-2ov41v-lcfp2b\2.exe
<Temp>\l3o32f-lzpr6f-gmgfnj-4k90cw-n8sled\1.exe
<Temp>\u39wt3-1tkdfw-qgqho7-l8twvc-yxrxpz\1.exe
<Temp>\ujov8f-ugpkcf-p2h7tj-d09tiw-wotdjd\2.exe
<Temp>\upqb99-ulq0d9-p8inue-d6a9jq-wuutk7\2.exe
<Temp>\zy4q3e-yu5f7e-ugw3oj-iepodv-1389ec\1.exe
<User>\My Documents\Classified.exe
<User>\My Documents\My Music.exe
<User>\My Documents\My Pictures.exe
<User>\My Documents\My Received Files.exe
<User>\My Documents\yahoomentor.exe
<Root>\Games.exe
<Root>\Mijn Documenten.exe
<Root>\Mirc32.exe
<Root>\My Downloads.exe
<Root>\My Music.exe
<Root>\My Shared Folder.exe
<Root>\NvExec.exe
<Root>\NvOpen.exe
<Root>\NvRun.exe
<CurrentFolder>\Classified.exe
<CurrentFolder>\<filename>\Classified.exe
<Root>\Program Files.exe
<Program Files>\ATI Multimedia.exe
<Program Files>\Accessories.exe
<Program Files>\AppleJuice.exe
<Program Files>\Classified.exe
<Program Files>\ComPlus Applications.exe
<Program Files>\Common Files.exe
<Common Files>\Classified.exe
<Common Files>\InstallShield.exe
<Common Files>\MSSoap.exe
<Common Files>\Microsoft Shared.exe
<Common Files>\SpeechEngines.exe
<Common Files>\odbc.exe
<Common Files>\services.exe
<Common Files>\system.exe
<Program Files>\CommonName.exe
<Program Files>\Emule.exe
<Program Files>\Flt.exe
<Program Files>\FrontPage Express.exe
<Program Files>\Grokster.exe
<Program Files>\Hotbar.exe
<Program Files>\Internet Explorer.exe
<Program Files>\Java Web Start.exe
<Program Files>\KaZaA Lite.exe
<Program Files>\KaZaA.exe
<Program Files>\Kmd.exe
<Program Files>\Limewire.exe
<Program Files>\MSN Gaming Zone.exe
<Program Files>\MSN Messenger.exe
<Program Files>\Messenger.exe
<Program Files>\Microsoft Office.exe
<Program Files>\Mirc.exe
<Program Files>\Morpheus.exe
<Program Files>\Movie Maker.exe
<Program Files>\MySearch.exe
<Program Files>\NetMeeting.exe
<Program Files>\Newtella.exe
<Program Files>\Online Services.exe
<Program Files>\Outlook Express.exe
<Program Files>\Pirch.exe
<Program Files>\Pirch32.exe
<Program Files>\Plus!.exe
<Program Files>\PowerArchiver.exe
<Program Files>\Shareaza.exe
<Program Files>\Splooge.exe
<Program Files>\Swaptor.exe
<Program Files>\Uninstall Information.exe
<Program Files>\Web Publish.exe
<Program Files>\WinMX.exe
<Program Files>\Windows Media Player.exe
<Program Files>\Windows Messaging.exe
<Program Files>\Windows NT.exe
<Program Files>\Yahoo!.exe
<Program Files>\aim95.exe
<Program Files>\aol.exe
<Program Files>\bearshare.exe
<Program Files>\chat.exe
<Program Files>\directx.exe
<Program Files>\eDonkey.exe
<Program Files>\eDonkey2000.exe
<Program Files>\ebkrdr.exe
<Program Files>\iMesh.exe
<Program Files>\icq.exe
<Program Files>\microsoft frontpage.exe
<Program Files>\mirc32.exe
<Program Files>\msn.exe
<Program Files>\overnet.exe
<Program Files>\pirch98.exe
<Program Files>\real.exe
<Program Files>\virc97.exe
<Program Files>\xerox.exe
<Root>\Programma's.exe
<Root>\Programme.exe
<Root>\Programmi.exe
<Root>\Programs.exe
<Root>\Read1st.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000001.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000002.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000003.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000004.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000005.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000006.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000007.exe
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000008.exe
<Root>\Temp.exe
<Root>\Tmp.exe
<Root>\WinNT.exe
<Root>\drvrtmp.exe
<Root>\goats.exe
<Root>\inetpub.exe
<Root>\install.exe
<Root>\mirc.exe
<Root>\pua-extract.exe
<Root>\pua-output.exe
<Root>\windows.exe
<Windows>\All Users.exe
<Windows>\AppPatch.exe
<Windows>\Classified.exe
<Windows>\Connection Wizard.exe
<Windows>\Debug.exe
<Windows>\Driver Cache.exe
<Windows>\LastGood.Tmp.exe
<Windows>\LastGood.exe
<Windows>\Local Settings.exe
<Windows>\Menu Iniciar.exe
<Windows>\MsApps.exe
<Windows>\Offline Web Pages.exe
<Windows>\Prefetch.exe
<Windows>\Registration.exe
<Windows>\Resources.exe
<Windows>\WinSxS.exe
<Windows>\addins.exe
<Windows>\catroot.exe
<Windows>\command.exe
<Windows>\config.exe
<Windows>\cursors.exe
<Windows>\drwatson.exe
<Windows>\forms.exe
<Windows>\help.exe
<Windows>\ime.exe
<Windows>\java.exe
<Windows>\lsass.exe
<Windows>\mdmupglg.exe
<Windows>\media.exe
<Windows>\mirc32.exe
<Windows>\msagent.exe
<Windows>\mui.exe
<Windows>\ol98logs.exe
<Windows>\pchealth.exe
<Windows>\pif.exe
<Windows>\repair.exe
<Windows>\samples.exe
<Windows>\security.exe
<Windows>\srchasst.exe
<Windows>\system.exe
<Windows>\system32.exe
<System>\winnthlp1.exe
<System>\winnthlp2.exe
<Windows>\temp.exe
<Windows>\twain_32.exe

and creates the following files:

<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\_driver.cfg
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\_filelst.cfg
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\drivetable.txt
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\RestorePointSize
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\a0000009.bat
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\change.log
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\rp.log
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_MACHINE_SAM
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_MACHINE_SECURITY
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_MACHINE_SOFTWARE
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_MACHINE_SYSTEM
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_.DEFAULT
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-854245398-413027322-725345543-1003
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-854245398-413027322-725345543-1003
<Root>\System Volume Information\_restore{A96E9964-7A58-461E-876E-040BBC34809C}\rp1\snapshot\domain.txt
<Root>\autorun.inf
<Root>\fsnapa.snp
<Root>\rsnapa.snp
<Windows>\shutdown.dll
<System>\Restore\MachineGuid.txt

The file autorun.if is detected as W32/AutoRun-AMW.

The following registry entries are created to run DirLock.exe, lsass.exe and system.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32
<Windows>\system.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DirLock
<User>\application data\Lambda\DirLock.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LSAgent
<Windows>\lsass.exe

The following registry entry is changed to run kbsys.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<User>\application data\Microsoft\KBDriver\kbsys.exe"

W32/Autorun-APL sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\sr
Start
0

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

download Try Sophos products for free
Download now