W32/Autorun-HS

Category: Viruses and SpywareProtection available since:19 Aug 2008 10:35:45 (GMT)
Type: Win32 wormLast Updated:19 Aug 2008 10:35:45 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Autorun-HS is a worm for the Windows platform.

W32/Autorun-HS comprises the following files:

<System>\osDSP.exe
<System>\Dsksvc.SYS
<System>\Dskconf.msc
<System>\Shell.cat
<System>\autorun.inf
<System>\Rstd.exe
<System>\runsvr.exe
<System>\rmtdsk.dll
<System>\crv.exe
<System>\restore\osDSP.exe
<System>\restore\Dsksvc.SYS
<System>\restore\Dskconf.msc
<System>\restore\Shell.cat
<System>\restore\autorun.inf
<System>\restore\Rstd.exe
<System>\restore\runsvr.exe
<System>\restore\rmtdsk.dll
<System>\restore\crv.exe
<Temp>\bt8015.bat
<Temp>\bt6860.bat

Also the following files have been seen created:

<System>\ntoskern.dll
<Windows>\usblogs0.txt
<Windows>\usblogs1.txt
<Windows>\usblogs10.txt
<Windows>\usblogs11.txt
<Windows>\usblogs12.txt
<Windows>\usblogs13.txt
<Windows>\usblogs14.txt
<Windows>\usblogs15.txt
<Windows>\usblogs16.txt
<Windows>\usblogs17.txt
<Windows>\usblogs18.txt
<Windows>\usblogs19.txt
<Windows>\usblogs2.txt
<Windows>\usblogs20.txt
<Windows>\usblogs21.txt
<Windows>\usblogs22.txt
<Windows>\usblogs3.txt
<Windows>\usblogs4.txt
<Windows>\usblogs5.txt
<Windows>\usblogs6.txt
<Windows>\usblogs7.txt
<Windows>\usblogs8.txt
<Windows>\usblogs9.txt

They are not malicious on its own and can be safely deleted.

The following registry entries are set:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
USB drivers
<System>crv.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\Rstd.exe

The following registry entries are changed:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\Medium access
HKLM\SYSTEM\CurrentControlSet\Services\AVP\Security
HKLM\SYSTEM\CurrentControlSet\Services\AVP\Enum
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares