Home / malware Win32.Worm.Autorun.JP
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Autorun.JP is also known as Worm.Win32.Autorun.dlw, W32/Autorun.worm.bm, WORM_AUTORUN.UP.
Explanation :
When executed, the worm drops several copies of itself in:
%system%system.exe%windows%userinit.exe[every removable drive]: Secret.exe
Also, it drops:
%system%MSWINSCK.OCX, a clean file used by the virus%system%kdcoms.dll, a file in which the virus stores user's active windows titles and the following keys strokes:
Backspace, Tab, Shift, Ctrl, Alt, Pause, Esc, End, Home, Left, Right, Up, Down, Insert, Delete, F1-F12, NumLock, ScrollLock, PrintScreen, PageUp, PageDown
[every removable drive]: autorun.inf, in order that the worm is executed every time the drive is accesed
autorun.inf has the following content:
[AutoRun]
open=Secret.exe
;shellopen=Open(&O)
shellopenCommand=Secret.exe
shellopenDefault=1
;shellexplore=Manager(&X)
shellexploreCommand=Secret.exe
The virus modifies the registry value in order to be executed on every system startup:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon:
Userinit = %windows%userinit.exe" (instead of the original file located in %System%userinit.exe")
The worm also downloads a file from:
http://files.myopera.com/[hide]online/files/task.rar, which also contains a copy of itself.Last update 21 November 2011
