W32/Autorun-ZI

    Category: Viruses and SpywareProtection available since:24 Feb 2009 15:37:40 (GMT)
    Type: Win32 wormLast Updated:24 Feb 2009 15:37:40 (GMT)
    Prevalence: Small Number of Reports

    Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

    W32/Autorun-ZI is a worm for the Windows platform.

    W32/Autorun-ZI spreads through removable storage drives.

    W32/Autorun-ZI copies itself to Windows folder.

    When W32/Autorun-ZI is installed the following file is created:

    <Windows>\system.bat

    The file system.bat can be safely deleted.

    The following registry entry is changed to run iph.exe on startup:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    userinit.exe,iph.exe

    Registry entries are set as follows:

    HKCU\Software\Microsoft\Command Processor
    autorun
    <Windows>\system.bat

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0x00000002

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt
    0x00000001

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden
    0x00000000

    Registry entries are created under:

    HKCU\Software\BLACKSUN

    Download Sophos HomeDownload
    Sophos Home

    Free business-grade security for the home.

    Endpoint Protection