W32/Autorun-L

Category:	Viruses and Spyware	Protection available since:	23 Nov 2007 12:46:46 (GMT)
Type:	Win32 worm	Last Updated:	23 Nov 2007 12:46:46 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Autorun-L is a worm for the Windows platform.

W32/Autorun-L may attempt to spread by copying itself to removable drives and creating an autorun.inf file to enable the worm copy to be run.

W32/Autorun-L also spreads to other network computers.

When first run W32/Autorun-L copies itself to:

<Startup>\defaults.pif
<Windows>\Debug\explorer.exe
<Windows>\Installer\winlogon.exe
<System>\dllcache\lsass.exe
<System>\dllcache\userinit.exe

It creates the following files:

<Root>\kib.htm
<Windows>\SoftWareProtector\Error_out.pr
<Windows>\sys.inf

W32/Autorun-L also attempts to disable security related applications.

When first run W32/Autorun-L creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kb
C:\WINDOWS\System32\drivers\AUTO.TXT

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo
C:\WINDOWS\System32\dllcache\saql55ekmp66wlpannqoooopcv\kib.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Show_StatusBar
no

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Debugger
C:\WINDOWS\System32\sol.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger
C:\WINDOWS\System32\spider.exe

Registry entries are modified under:

HKCR\Folder\shell\Kibaki
&Emilio Mwai Kibaki

HKCR\Folder\shell\Kibaki\command
C:\WINDOWS\System32\dllcache\userinit.exe

HKCR\lnkfile\shell\open\command

HKCR\exefile
File Folder

Try Sophos products for free
Download now

W32/Autorun-L

Free Mac Anti-Virus

Popular topics