high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 22 November 2009 16:22:32 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/AutoRun-AVL is a worm for the Windows platform.
W32/AutoRun-AVL spreads by copying itself to removable devices such as USB drives and creates an autorun.inf file in the root of the removable device in an attempt to run itself when the the device is loaded.
When W32/AutoRun-AVL is run the following files are created:
<System>\drivers\kernel86x.sys (detected separately as PUA "TCP-Z TCP Patch and Monitor")
<System>\wmispm.exe
<Temp>\melt.bat
<removeable device>\autorun.inf
<removeable device>\RECDIR-5902
<removeable device>\RECDIR-5902\data.sys
(files and folders may have the hidden, system and read-only attributes set).
The following registry entry is set to run wmispm.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger
wmispm.exe
The following registry entry is set to run the legitimate Windows file ctfmon.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
ctfmon.exe
The file kernel86x.sys is registered as a new service named "kernel86x", with a display name of "Kernel Loader Service". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\kernel86x
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
<System>\wmispm.exe
<System>\wmispm.exe:*:Enabled:Windows Live
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\wmispm.exe
<System>\wmispm.exe:*:Enabled:Windows Live
W32/AutoRun-AVL sets the following registry entries, disabling the automatic startup of the Wscsvc service:
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
0x00000004
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
<System>\wmispm.exe
DisableNXShowUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
0x00000001
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
CheckedValue
0x00000001
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000002
HKLM\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
0x00000001
KLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
0x00000001
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
Trace Level
<no value>
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
ctfmon.exe
ctfmon.exe
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
ctfmon.exe
ctfmon.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PropSummary
Advanced
0x00000000
W32/AutoRun-AVL may delete files in the Windows system folder with extensions of SCR and COM and may modify the HOSTS file located at <System>\drivers\etc\hosts.
|
