high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 January 2008 20:25:59 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Autorun-AK is a worm for the Windows platform.
W32/Autorun-AK includes functionality to connect to the internet and communicate with a remote server via HTTP.
W32/Autorun-AK may attempt to terminate certain anti virus processes.
When first run W32/Autorun-AK copies itself to:
<Root>\usdeiect.com
<System>\amvo.exe
and creates the following files:
<Temp>\a.dll
<Temp>\tecvt6.sys
<System>\amv0.dll
<Root>\autorun.inf
tecvt6.sys is detected as Mal/RootKit-A, amv0.dll is detected as Troj/Lineag-Gen, autorun.inf is detected as W32/SillyFDC-BT and a.dll is detected as W32/Autorun-AK.
W32/Autorun-AK creates the following registry entry to run itself on startup:
HKCU\Software\Microsoft\Windows\Currentversion\Run
amva
<System>\amvo.exe
W32/Autorun-AK spreads via removable shared drives by copying itself to <Root>\usdeiect.com (detected as W32/Autorun-AK) and creating the file <Root>\autorun.inf (detected as W32/SillyFDC-BT) that is designed to run the worm when the drive is connected to an uninfected computer.
W32/Autorun-AK sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
|
