Home / malware Worm.Autorun.WHG
First posted on 21 November 2011.
Source: BitDefenderAliases :
Worm.Autorun.WHG is also known as Trojan.Autorun.AET.
Explanation :
Autorun (or autoplay) is a feature of Microsoft Windows Operating systems that dictates what action will be taken
when a new drive is mounted or accesed. The structure of an autorun file usually includes information like the program
that will be executed when the drive is mounted, accesed, etc. Autorun.inf will always be located inside the root
directory of the medium, and whether the operating system will interpret it or not depends on some special registry keys:
HKEY_LOCAL_MACHINESofwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun
HKEY_CURRENT_USERSofwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun
HKEY_LOCAL_MACHINESofwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun
HKEY_CURRENT_USERSofwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveAutoRun
More information about how autorun works can be found here.
This particular malware comes very obfuscated, containing large amounts of garbage, in order to make detection difficult.
Its true purpose is however revealed by the following line:
shelLExECUte=RuNdLl32.EXE .RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665jwgkvsq.vmx,ahaezedrn
This means that whenever the drive is accesed, rundll32.exe (a system program) will load
RECYCLERS-5-3-42-2819952290-8240758988-879315005-3665jwgkvsq.vmx (a dll) and call exported function ahaezedrn.
This dll file is actually Win32.Worm.Downadup. Further information about Downadup (alias Kido or Conficker) can be found here.Last update 21 November 2011