Home / malware Worm:Win32/Autorun.WZ
First posted on 01 May 2019.
Source: MicrosoftAliases :
Worm:Win32/Autorun.WZ is also known as Win32/AutoRun.VB.JT, W32/Autorun.worm!jo, Worm.Win32.Autorun.
Explanation :
Worm:Win32/Autorun.WZ is a worm that spreads via removable and network drives. Installation When executed, Worm:Win32/Autorun.WZ copies itself to %WINDIR%winlogon.exe, and adds the following registry modifications to run at each Windows start: Adds value: "NVIDIA Media Center Library" With data: "%WINDIR%winlogon.exe"To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "NVIDIA Media Center Library" With data: "%WINDIR%winlogon.exe" To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Note: the malware file should not be confused with a legitimate Windows file also named "winlogon.exe", which exists by default in the Windows system folder. Spreads via… Removable and network drives Worm:Win32/Autorun.WZ checks the infected computer for removable drives and network shares; if found, the malware copies itself to:
DrivesGuideInfoautorun.exe DrivesGuideInfoS-1-7-21-1439977401-7444491467-600013330-9141autorun.exe Worm:Win32/Autorun.WZ then writes an autorun configuration file named 'autorun.inf' pointing to one of the files listed above. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. Worm:Win32/Autorun.WZ may also create shortcuts with directory names that point to the malware, for example: DrivesGuideInfo.lnk Payload Downloads and executes arbitrary files Worm:Win32/Autorun.WZ connects to a remote host in order to download and execute arbitrary files. Analysis by Ray Roberts Last update 01 May 2019