W32/Autorun-DH

Please follow the instructions for removing worms.

W32/Autorun-DH is a worm for the Windows platform.

W32/Autorun-DH spreads via removable drives by creating the file autorun.inf that is designed to run the worm when the drive is connected to an uninfected computer.

When first run W32/Autorun-DH copies itself to:

<Root>\Mixa_I.exe
<Windows>\Mixa.exe
<System>\systemio.exe

and creates the following files:

<Root>\Autorun.inf
<User>\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.lrd
<System>\restart.scf

The files Autorun.inf and restart.scf are detected as W32/Autorun-DH. The lrd file is a data file.

The following registry entry is created to run Mixa.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Virus
<Windows>\Mixa.exe

The following registry entry is changed to run systemio.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\systemio.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ServerAdminUI
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
TaskbarGlomming
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ListviewAlphaSelect
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ListviewShadow
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ListviewWatermark
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowCompColor
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
TaskbarAnimations
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
WebView
1