<body><iframe src="http://www.blogger.com/navbar.g?targetBlogID=1900656735212751576&amp;blogName=Free+Antispyware+and+Computer+Securit...&amp;publishMode=PUBLISH_MODE_FTP&amp;navbarType=BLUE&amp;layoutType=CLASSIC&amp;homepageUrl=http%3A%2F%2Fwww.splatware.com%2F&amp;searchRoot=http%3A%2F%2Fblogsearch.google.com%2F" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" height="30px" width="100%" id="navbar-iframe" title="Blogger Navigation and Search"></iframe> <div id="space-for-ie"></div>
Computer security

W32/Autorun.worm.n Malware Virus

Overview -

W32/Autorun.worm.n infects available drives and download additional malware to further infect the system.

Characteristics -

W32/Autorun.worm.n adds the following registry key to run its own executable when a certain list of programs is called:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%APP%\Debugger

%ADD% is a list of the following applications:

* 360rpt.exe
* 360Safe.exe
* 360tray.exe
* adam.exe
* AgentSvr.exe
* AppSvc32.exe
* autoruns.exe
* avgrssvc.exe
* AvMonitor.exe
* avp.com
* avp.exe
* CCenter.exe
* ccSvcHst.exe
* FileDsty.exe
* FTCleanerShell.exe
* HijackThis.exe
* IceSword.exe
* iparmo.exe
* Iparmor.exe
* isPwdSvc.exe
* kabaload.exe
* KaScrScn.SCR
* KASMain.exe
* KASTask.exe
* KAV32.exe
* KAVDX.exe
* KAVPFW.exe
* KAVSetup.exe
* KAVStart.exe
* KISLnchr.exe
* KMailMon.exe
* KMFilter.exe
* KPFW32.exe
* KPFW32X.exe
* KPFWSvc.exe
* KRegEx.exe
* KRepair.COM
* KsLoader.exe
* KVCenter.kxp
* KvDetect.exe
* KvfwMcl.exe
* KVMonXP.kxp
* KVMonXP_1.kxp
* kvol.exe
* kvolself.exe
* KvReport.kxp
* KVSrvXP.exe
* KVStub.kxp
* kvupload.exe
* kvwsc.exe
* KvXP.kxp
* KWatch.exe
* KWatch9x.exe
* KWatchX.exe
* loaddll.exe
* MagicSet.exe
* mcconsol.exe
* mmqczj.exe
* mmsk.exe
* NAVSetup.exe
* nod32krn.exe
* nod32kui.exe
* PFW.exe
* PFWLiveUpdate.exe
* QHSET.exe
* Ras.exe
* Rav.exe
* RavMon.exe
* RavMonD.exe
* RavStub.exe
* RavTask.exe
* RegClean.exe
* rfwcfg.exe
* RfwMain.exe
* rfwProxy.exe
* rfwsrv.exe
* RsAgent.exe
* Rsaupd.exe
* runiep.exe
* safelive.exe
* scan32.exe
* shcfg32.exe
* SmartUp.exe
* SREng.exe
* symlcsvc.exe
* SysSafe.exe
* TrojanDetector.exe
* Trojanwall.exe
* TrojDie.kxp
* UIHost.exe
* UmxAgent.exe
* UmxAttachment.exe
* UmxCfg.exe
* UmxFwHlp.exe
* UmxPol.exe
* UpLive.EXE
* WoptiClean.exe
* zxsweep.exe

The following files are added:

* %SYSTEMDIR%\1.inf
* %SYSTEMDIR%\forget.dll
* %SYSTEMDIR%\snowfall.exe
* %DRIVE%\autorun.inf
* %DRIVE%\snow.exe

W32/Autorun.worm.n will execute the following command to disable the Windows Firewall:

* cmd.exe /c net stop sharedaccess

It will start %SYSTEMDIR%\spoolsv.exe and inject forget.dll into this process. This will cause spoolsv.exe to attempt to access the network to download the following files:

* http://aa.tygzs.cn/[removed]/qcb.exe
* http://aa.tygzs.cn/[removed]/hs.exe
* http://aa.tygzs.cn/[removed]/26.exe

At the point of writing, the domain and files are not available.

(where %SYSTEMDIR% is the Windows system directory e.g. C:\WINDOWS\system32, %DRIVE% is the drive letter e.g C:)
Symptoms
Symptoms -

* Presence of previously mentioned files.
* Presence of previously mentioned registry keys.
* Presence of unexpected network connections to previously mentioned URLs.

Method of Infection
Method of Infection -

W32/Autorun.worm.n infects any available drives by placing itself and an autorun.inf file on the drive.
Removal -
Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

free virus removal