How it Works
Win32/Autorun loads itself at startup when windows boots. It does this by copying itself at multiple locations, in the startup folder with the name userinit.exe, in the user_profile folder as svchost.exe, in the windows\system32\drivers folder as services.exe and finally in the C drive where your windows is installed, as Autorun.exe. In this manner, you can look for the following files and confirm the presence of this worm on your computer system.
%path1% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%path2% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
%path3% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
%path4% = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath
%path5% = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath
Apart from copying itself at various locations, it also modifies and adds new entries in the system registry. It adds the following new entries.
%path1%\ Run\[system] = drivers\services.exe
%path1%\ Run\ winlogon = user_profile\svchost.exe
%path2%\ Run\[system] = drivers\services.exe
%path2%\ Run\winlogon = user_profile\svchost.exe
It modifies the following existing entries present in the system registry.
%path3% = userinit.exe, drivers\services.exe
%path4% = drivers\services.exe
%path5% = drivers\services.exe