SecurityHome.eu Worm:W32/AutoRun.NOI

Home / malware PDF

Worm:W32/AutoRun.NOI

First posted on 20 October 2008.
Source: SecurityHome
Aliases :
There are no other names known for Worm:W32/AutoRun.NOI.
Explanation :
AutoRun worm.

right]Worm.Win32.AutoRun.noi creates a copy of itself as the following:

C:Program FilesMicrosoft Commonwuauclt.exe

It creates the following registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe
Debugger = "%ProgramFiles%Microsoft Commonwuauclt.exe

Note: The key is created for automatic execution when explorer.exe is launched.

It also drops two files into the root of available removable drives:

autorun.inf

system.exe

It then injects codes to explorer.exe.

The autorun.inf file is an autorun file of system.exe and contains the following strings:

[autorun]
open=system.exe
shellexecute=system.exe
shellExplorecommand=system.exe
shellOpencommand=system.exe
shell=Explore

Worm.Win32.AutoRun.noi attempts to retrieve information from:

http://druzg.ru/[...].php?v=1&rs=13441600&n=1&uid=1

http://drizg.ru/[...].php?v=1&rs=13441600&n=1&uid=1

The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.
Last update 20 October 2008

TOP

Malware :

Last 20

Worm:W32/AutoRun.NOI

Aliases :

Explanation :

Malware :

Family: