high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 23 November 2007 13:34:31 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Autorun-L is a worm for the Windows platform.
W32/Autorun-L may attempt to spread by copying itself to removable drives and creating an autorun.inf file to enable the worm copy to be run.
W32/Autorun-L also spreads to other network computers.
When first run W32/Autorun-L copies itself to:
<Startup>\defaults.pif
<Windows>\Debug\explorer.exe
<Windows>\Installer\winlogon.exe
<System>\dllcache\lsass.exe
<System>\dllcache\userinit.exe
It creates the following files:
<Root>\kib.htm
<Windows>\SoftWareProtector\Error_out.pr
<Windows>\sys.inf
W32/Autorun-L also attempts to disable security related applications.
When first run W32/Autorun-L creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
kb
C:\WINDOWS\System32\drivers\AUTO.TXT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo
C:\WINDOWS\System32\dllcache\saql55ekmp66wlpannqoooopcv\kib.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Show_StatusBar
no
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Debugger
C:\WINDOWS\System32\sol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Debugger
C:\WINDOWS\System32\spider.exe
Registry entries are modified under:
HKCR\Folder\shell\Kibaki
&Emilio Mwai Kibaki
HKCR\Folder\shell\Kibaki\command
C:\WINDOWS\System32\dllcache\userinit.exe
HKCR\lnkfile\shell\open\command
HKCR\exefile
File Folder
|
