Pin Me

What is the Win32 Autorun Worm?

written by: •edited by: Bill Bunter•updated: 6/9/2010

As the name suggests, this is an Autorun worm that gets executed whenever you connect removable media on windows based computer system. Read to find out more...

  • slide 1 of 7

    Description

    win32 autorun 

    Win32/Autorun is a worm that does not replicate itself but downloads another malicious code to infect the computer system. Win32/Autorun exploits the un-patched vulnerability present in Microsoft’s windows operating system which Microsoft calls it a feature and downloads another malicious code from various sources by connecting to a remote computer.

  • slide 2 of 7

    Risk Assessment

    Home Users – N/A

    Corporate Users – N/A

  • slide 3 of 7

    Virus Characteristics

    Type: virus/worm

    Filename: Unknown

    Detection: Win32/Autorun

    Length: variable length

  • slide 4 of 7

    How it Works

    Win32/Autorun loads itself at startup when windows boots. It does this by copying itself at multiple locations, in the startup folder with the name userinit.exe, in the user_profile folder as svchost.exe, in the windows\system32\drivers folder as services.exe and finally in the C drive where your windows is installed, as Autorun.exe. In this manner, you can look for the following files and confirm the presence of this worm on your computer system.

    %path1% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

    %path2% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion

    %path3% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

    %path4% = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath

    %path5% = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath

    Apart from copying itself at various locations, it also modifies and adds new entries in the system registry. It adds the following new entries.

    %path1%\ Run\[system] = drivers\services.exe

    %path1%\ Run\ winlogon = user_profile\svchost.exe

    %path2%\ Run\[system] = drivers\services.exe

    %path2%\ Run\winlogon = user_profile\svchost.exe

    It modifies the following existing entries present in the system registry.

    %path3% = userinit.exe, drivers\services.exe

    %path4% = drivers\services.exe

    %path5% = drivers\services.exe

  • slide 5 of 7

    How it Spreads

    Win32/Autorun spreads itself by dropping an Autorun.inf file in the removable media using the filenames that are similar to the name of the popular software’s. This way a user can accidentally click the file allowing the Win32/Autorun worm to execute in the background.

  • slide 6 of 7

    Symptoms

    Too much network activity even when you are not downloading anything

    Presence of the above mentioned entries in the system registry

    Unwanted filenames with the extension “.exe" like Windows 2003.exe, Hotmail.exe, Password Cracker.exe, etc

  • slide 7 of 7

    Removal Instructions

    As a precautionary step, you must disable the Autorun feature of your windows operating system. Your next step should be to disable the system restore facility and search for Autorun.inf files, and delete them. Finally, perform a complete scan of your computer system either using Eset NOD32 or McAfee antivirus.