high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 19 August 2008 04:17:08 (GMT) |
| Last updated | 19 August 2008 23:16:23 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Autorun-HQ is a Trojan for the Windows platform.
W32/Autorun-HQ spreads to other network computers.
W32/Autorun-HQ includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Autorun-HQ copies itself to:
<Windows>\regsvr.exe
<System>\regsvr.exe
<System>\winhelp.exe
and creates the following files:
<System>\ijl11pro.dll
<System>\rundll.exe
<System>\setting.ini
<System>\setup.ini
<Windows>\winhelp.ini
The files autorun.if and setup.ini are detected as Troj/Agent-GXM and the files rundll.exe and aut2.tmp are detected as Mal/Behav-210.
The following registry entry is created to run regsvr.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\regsvr.exe
The following registry entries are changed to run winhelp.exe and rundll.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe rundll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
Winhelp.exe
The following registry entry is set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0
|
