W32/Autoit-H

Aliases	Win32/Autoit.CF worm WORM_AUTORUN.VN
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	13 May 2008 02:38:06 (GMT)
Last updated	12 April 2009 02:05:31 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Autoit-H is a worm for the Windows platform.

When first run W32/Autoit-H copies itself to the Windows folder and creates the file <Windows>\pc-off.bat (also detected as W32/Autoit-H). A message box also appears stating:
JBLCF(AREVALO): Don't worry. I will not do anything here.

Registry values are modified:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
userinit.exe,<exe name>

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
www.---.blogspot.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
0x00000000

HKCU\Software\Microsoft\Command Processor\autorun
<path to pc-off.bat>

HKCU\Software\DONARDSINAY
<email address>

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

W32/Autoit-H

Summary

Action

More Information