Sophos

Sophos blogs

W32/Autoit-H

Aliases
  • Win32/Autoit.CF worm
  • WORM_AUTORUN.VN
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Protection available since 13 May 2008 02:38:06 (GMT)
Last updated 12 April 2009 02:05:31 (GMT)
Detected by All Sophos products
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Autoit-H is a worm for the Windows platform.

When first run W32/Autoit-H copies itself to the Windows folder and creates the file <Windows>\pc-off.bat (also detected as W32/Autoit-H). A message box also appears stating:
JBLCF(AREVALO): Don't worry. I will not do anything here.

Registry values are modified:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
userinit.exe,<exe name>

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
www.---.blogspot.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
0x00000000

HKCU\Software\Microsoft\Command Processor\autorun
<path to pc-off.bat>

HKCU\Software\DONARDSINAY
<email address>

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer