Home / malwarePDF  

Worm:Win32/Autorun.AED


First posted on 23 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Autorun.AED.

Explanation :

Worm:Win32/Autorun.AED is a worm that spreads via removable drives. Variants of the Worm:Win32/Autorun family usually spread using methods that include, but may not be limited to, copying themselves to removable or network drives. They do this by placing an autorun.inf file in the root directory of each affected drive in an attempt to ensure that the worm is run when the removable drive is attached, or the network drive is visited from a remote system supporting the Autorun feature.


Top

Worm:Win32/Autorun.AED is a worm that spreads via removable drives. Variants of the Worm:Win32/Autorun family usually spread using methods that include, but may not be limited to, copying themselves to removable or network drives. They do this by placing an autorun.inf file in the root directory of each affected drive in an attempt to ensure that the worm is run when the removable drive is attached, or the network drive is visited from a remote system supporting the Autorun feature.



Installation

When executed, Worm:Win32/Autorun.AED copies itself to the following locations:

  • c:\documents and settings\administrator\windows\system\winsystem.exe
  • %ProgramFiles%\system32\database.exe


Worm:Win32/Autorun.AED also drops a file that contains the date when the malware was installed or first executed:

%ProgramFiles%\system32\wininet.ocx

The worm modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "winsystem"
With data: "c:\documents and settings\administrator\windows\system\winsystem.exe"

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "C:\Windows\system32\userinit.exe, %ProgramFiles%\system32\database.exe"

The worm modifies the following registry entry to ensure that each time the user opens an .inf file, the malware is executed instead:

In subkey: HKLM\Registry\Machine\Software\Classes\Inffile\shell\Open\command
Sets value: "(default)"
With data: "c:\documents and settings\administrator\windows\system\winsystem.exe"

Spreads via€¦

Removable and network drives

Worm:Win32/Autorun.AED copies itself to the following location on all accessible network or removable drives:

<drive:>\winsystem.exe

It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

The worm also changes the file attributes of all of its dropped copies in the root directory to 'System', 'Hidden' and 'Read-Only'.



Analysis by Edgardo Diaz

Last update 23 February 2012

 

TOP

Malware :

Family: