Worm.Win32.AutoRun

Home Threats Worm Worm.Win32.AutoRun

Detect Date	06/30/2010
Class	Worm
Platform	Win32
Description	The worm loads the .dll file to all active processes. The worm also intercepts mouse and keyboard events if one of the processes listed below has been launched: maplestory.exe dekaron.exe gc.exe RagFree.exe Ragexe.exe ybclient.exe wsm.exe sro_client.exe so3d.exe ge.exe elementclient.exe The worm harvests account data relating to the following games: ZhengTu Wanmi Shijie or Perfect World Dekaron Siwan Mojie HuangYi Online Rexue Jianghu ROHAN Seal Online Maple Story R2 (Reign of Revolution) Talesweaver Harvested data is sent to the remote malicious user’s site. The worm also modifies the following system registry key parameter values: [HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFol derHiddenSHOWALL] “CheckedValue” = “0” [HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced] “Hidden” = “2” [HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced] “ShowSuperHidden” = “0” [HKCUSOFTWAREMicrosoftWindowsCurrentVersionPociliesExplorer] “NoDriveTypeAutoRun” = “0x91” For example Worm.Win32.AutoRun.beot: Worm copies itself to local disks and accessible network resources. It is Windows (PE-EXE file). It is 47733 bytes in size. It is packed by FSG. Unpacked file size is about 160 Kb. It is written in Delphi. Installation Once launched, the worm copies its body to a system disk of a user’s computer. To ensure that the copy created is launched automatically each time the system is rebooted, the following registry key is created: [HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun] Propagation The worm copies its body at all writable removable disks connected to the infected computer. The file “AutoRun.inf” is created together with a copy at the root of an infected disk. It provides for a copy to run each time a user opens an infected removable disk using “Explorer”.
	Find out the statistics of the threats spreading in your region