- slide 1 of 7
Win32/Autorun is a worm that does not replicate itself but downloads another malicious code to infect the computer system. Win32/Autorun exploits the un-patched vulnerability present in Microsoft’s windows operating system which Microsoft calls it a feature and downloads another malicious code from various sources by connecting to a remote computer.
- slide 2 of 7
Home Users – N/A
Corporate Users – N/A
- slide 3 of 7
Length: variable length
- slide 4 of 7
How it Works
Win32/Autorun loads itself at startup when windows boots. It does this by copying itself at multiple locations, in the startup folder with the name userinit.exe, in the user_profile folder as svchost.exe, in the windows\system32\drivers folder as services.exe and finally in the C drive where your windows is installed, as Autorun.exe. In this manner, you can look for the following files and confirm the presence of this worm on your computer system.
%path1% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%path2% = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
%path3% = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
%path4% = HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath
%path5% = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath
Apart from copying itself at various locations, it also modifies and adds new entries in the system registry. It adds the following new entries.
%path1%\ Run\[system] = drivers\services.exe
%path1%\ Run\ winlogon = user_profile\svchost.exe
%path2%\ Run\[system] = drivers\services.exe
%path2%\ Run\winlogon = user_profile\svchost.exe
It modifies the following existing entries present in the system registry.
%path3% = userinit.exe, drivers\services.exe
%path4% = drivers\services.exe
%path5% = drivers\services.exe
- slide 5 of 7
How it Spreads
Win32/Autorun spreads itself by dropping an Autorun.inf file in the removable media using the filenames that are similar to the name of the popular software’s. This way a user can accidentally click the file allowing the Win32/Autorun worm to execute in the background.
- slide 6 of 7
Too much network activity even when you are not downloading anything
Presence of the above mentioned entries in the system registry
Unwanted filenames with the extension “.exe” like Windows 2003.exe, Hotmail.exe, Password Cracker.exe, etc
- slide 7 of 7
As a precautionary step, you must disable the Autorun feature of your windows operating system. Your next step should be to disable the system restore facility and search for Autorun.inf files, and delete them. Finally, perform a complete scan of your computer system either using Eset NOD32 or McAfee antivirus.