W32/Autorun-ZI

Category: Viruses and SpywareProtection available since:24 Feb 2009 15:37:40 (GMT)
Type: Win32 wormLast Updated:24 Feb 2009 15:37:40 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Autorun-ZI is a worm for the Windows platform.

W32/Autorun-ZI spreads through removable storage drives.

W32/Autorun-ZI copies itself to Windows folder.

When W32/Autorun-ZI is installed the following file is created:

<Windows>\system.bat

The file system.bat can be safely deleted.

The following registry entry is changed to run iph.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,iph.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Command Processor
autorun
<Windows>\system.bat

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000002

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000

Registry entries are created under:

HKCU\Software\BLACKSUN