Home / malware Win32.Worm.Autoit.E
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Autoit.E is also known as Virus.Win32.AutoRun.hs, W32/Autorun.worm.g, Win32/Autoit.BB, W32/AutoRun.G!worm.
Explanation :
Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".
Once executed:
- drops [DRIVE]:autorun.inf on all drives, which is used to execute the malware when the drive is accessed;
- copies itself as ",.exe" on all drives
- copies itself as ",.exe" in %windir%
- enables AutoRun on all drives by altering following registry entries:
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun
* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun
- tries to kill following processes if running:
* MSConfig.exe
* regedit.exe
* taskmgr.exe
* Bkav2006.exe
- adds itself to Windows Startup under the name "HUI" by altering following registry entry:
* "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"
- modifies following registry entries:
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced ShowSuperHidden"
, to hide file extensions and file under explorer.Last update 21 November 2011
