Home / malware Worm:W32/Autorun.GA
First posted on 12 September 2008.
Source: SecurityHomeAliases :
There are no other names known for Worm:W32/Autorun.GA.
Explanation :
A standalone malicious program which uses computer or removable drives to make complete copies of itself.
right]AutoRun.GA creates a copy of itself as the following:
- C:Program FilesMicrosoft Commonwuauclt.exe
It will change the title of the process to "notepad window".
It also drops two files into the root of available removable drives:
- autorun.inf
- wuauclt.exe
It injects codes to svchost.exe and explorer.exe.
It looks for a service that will run manually and then temporarily replaces the driver with malicious driver. It then runs the service and the returns the original driver.
Launchpoint
- Key: HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe
Value: Debugger
Data: C:Program FilesMicrosoft Commonwuauclt.exe
This entry is created for automatic execution when explorer.exe is launched.
The autorun.inf file is an autorun file of wuauclt.exe and contains the following strings:
- [autorun]
open=system.exe
shellexecute=system.exe
shellExplorecommand=system.exe
shellOpencommand=system.exe
shell=Explore
Stealth
The worm uses rootkit stealth techniques to hide its presence on the infected machine, including deleting its own installation file once the installation has been completed.Last update 12 September 2008
