W32/Autorun-ZI is a worm for the Windows platform.
W32/Autorun-ZI spreads through removable storage drives.
W32/Autorun-ZI copies itself to Windows folder.
When W32/Autorun-ZI is installed the following file is created:
<Windows>\system.bat
The file system.bat can be safely deleted.
The following registry entry is changed to run iph.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,iph.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Command Processor
autorun
<Windows>\system.bat
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000
Registry entries are created under:
HKCU\Software\BLACKSUN