high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | May 2008 (4.29) |
| Protection available since | 27 March 2008 16:37:24 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/AutoRun-CM is a worm for the Windows platform.
W32/AutoRun-CM includes functionality to access the internet and communicate with a remote server via HTTP.
W32/AutoRun-CM may attempt to spread by copying itself to removable drives and creating an autorun.inf file to enable the worm copy to be run.
When first run W32/AutoRun-CM copies itself to:
<Root>\auto.exe
<System>\<random 8 char alphanumeric string>.exe
and creates the following files:
<Root>\autorun.inf
<System>\<different 8 char string>.dll
<System>\del.bat
The file autorun.if is detected as W32/SillyFD-G and the dll file is detected as Mal/Behav-024. The file del.bat deletes the original executable and can be safely deleted.
The copy dropped to <System> is registered as a new service named "220E4C68", with a display name of "220E4C68", although this is another random 8 character string that will change each time. Registry entries are created under:
HKCU\SYSTEM\CurrentControlSet\Services\220E4C68
Registry entries are also created under:
HKLM\SYSTEM\CurrentControlSet\Services\220E4C68
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
The following registry entry is also set:
HKLM\SOFTWARE\Microsoft\Windows NT
ReportBootOk
1
|
