W32/AutoRun-NZ

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Removable storage devices Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	10 November 2008 05:44:28 (GMT)
Last updated	11 November 2008 20:29:07 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/AutoRun-NZ is a worm for the Windows platform.

When run W32/AutoRun-NZ copies itself to
<System>\vmmon.exe
<System>\wsntfy.exe

and creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\\userinit.exe,<System>\vmmon.exe,

HKCU\Software\Microsoft\Windows NT\CurrentVersion
(default)
<random characters>

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Microsoft Enterprise Manager
<System>\vmmon.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F3Q02IS2-6ANW-8U8F-8M0X-84FTUA1U75PS}
StubPath
<System>\vmmon.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Querant
<System>\wsntfy.exe

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\wsntfy.exe
<System>\wsntfy.exe:*:Enabled:Explorer

W32/AutoRun-NZ spreads via removable shared drives by copying itself to <Root>\Recycler\<UserId>\volume.exe and creates the file <Root>\autorun.inf (detected as W32/HostInf-A).

W32/AutoRun-NZ also spreads via emailing itself as a zip attachment.

Subject lines include:

You've recieved A Hallmark E-Card!
miss Indonesian
Cek This
hello
xxx
Japannes Porn

With the following Message bodies:

"You have recieved A Hallmark E-Card.

You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy."

"Hot ..."

"please read again what i have written to you"

"Fucking With Me :D"

"hey Indonesian porn
Agnes Monica pic's"

File attachments have the names:
file <random number>.zip
nadine <random number>.zip
Miyabi <random number>.zip
hell <random number>.zip
Need you <random number>.zip
doc <random number>.zip
this file <random number>.zip
video <random number>.zip
postcard.zip

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/AutoRun-NZ

Summary

Action

More Information