The Win32 Autorun Worm: A 101

Finn Orfano
Categories : Smb security ,Computing
Tags : Computing smb security topics network security

Page content

Description

Win32/Autorun is a worm that does not replicate itself but downloads another malicious code to infect the computer system. Win32/Autorun exploits the un-patched vulnerability present in Microsoft’s windows operating system which Microsoft calls it a feature and downloads another malicious code from various sources by connecting to a remote computer.

Risk Assessment

Home Users – N/A

Corporate Users – N/A

Virus Characteristics

Type: virus/worm

Filename: Unknown

Detection: Win32/Autorun

Length: variable length

How it Works

Win32/Autorun loads itself at startup when windows boots. It does this by copying itself at multiple locations, in the startup folder with the name userinit.exe, in the user_profile folder as svchost.exe, in the windows\system32\drivers folder as services.exe and finally in the C drive where your windows is installed, as Autorun.exe. In this manner, you can look for the following files and confirm the presence of this worm on your computer system.

%path1% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

%path2% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion

%path3% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

%path4% = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath

%path5% = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath

Apart from copying itself at various locations, it also modifies and adds new entries in the system registry. It adds the following new entries.

%path1%\ Run\[system] = drivers\services.exe

%path1%\ Run\ winlogon = user_profile\svchost.exe

%path2%\ Run\[system] = drivers\services.exe

%path2%\ Run\winlogon = user_profile\svchost.exe

It modifies the following existing entries present in the system registry.

%path3% = userinit.exe, drivers\services.exe

%path4% = drivers\services.exe

%path5% = drivers\services.exe

How it Spreads

Win32/Autorun spreads itself by dropping an Autorun.inf file in the removable media using the filenames that are similar to the name of the popular software’s. This way a user can accidentally click the file allowing the Win32/Autorun worm to execute in the background.

Symptoms

Too much network activity even when you are not downloading anything

Presence of the above mentioned entries in the system registry

Unwanted filenames with the extension “.exe” like Windows 2003.exe, Hotmail.exe, Password Cracker.exe, etc

Removal Instructions

As a precautionary step, you must disable the Autorun feature of your windows operating system. Your next step should be to disable the system restore facility and search for Autorun.inf files, and delete them. Finally, perform a complete scan of your computer system either using Eset NOD32 or McAfee antivirus.