high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | July 2008 (4.31) |
| Protection available since | 14 May 2008 04:23:39 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/AutoRun-DY is a worm for the Windows platform.
When first run W32/AutoRun-DY copies itself to <System>\kxvo.exe and creates the following files:
<Temp>\uci.dll - detected as W32/AutoRun-DY
<System>\fool0.dll - detected as W32/AutoRun-DY
<System>\ieso0.dll - detected as W32/AutoRun-DY
The file fool0.dll is also detected as Mal/EncPk-CE and the file ieso0.dll is also detected as Mal/Behav-204.
The following registry entry is created to run kxvo.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kxva
<System>\kxvo.exe
The file ieso0.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKCR\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
HKCR\IEHlprObj.IEHlprObj.1\CLSID
(default)
{CE7C3CF0-4B15-11D1-ABED-709549C10000}
Registry entries are created under:
HKCR\IEHlprObj.IEHlprObj
Sophos's anti-virus products include Behavioral Genotype Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against W32/AutoRun-DY (detected as Mal/Behav-204) since version 4.29.
|
