Home / malware Worm:W32/AutoRun.NOI
First posted on 20 October 2008.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/AutoRun.NOI.
Explanation :
AutoRun worm.
right]Worm.Win32.AutoRun.noi creates a copy of itself as the following:
- C:Program FilesMicrosoft Commonwuauclt.exe
It creates the following registry key:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe
Debugger = "%ProgramFiles%Microsoft Commonwuauclt.exe
Note: The key is created for automatic execution when explorer.exe is launched.
It also drops two files into the root of available removable drives:
- autorun.inf
- system.exe
It then injects codes to explorer.exe.
The autorun.inf file is an autorun file of system.exe and contains the following strings:
- [autorun]
open=system.exe
shellexecute=system.exe
shellExplorecommand=system.exe
shellOpencommand=system.exe
shell=Explore
Worm.Win32.AutoRun.noi attempts to retrieve information from:
- http://druzg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
- http://drizg.ru/[...].php?v=1&rs=13441600&n=1&uid=1
The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.Last update 20 October 2008