“W32/Autorun.worm.aacz” is detection for a worm that spreads over USB devices using Autorun functionality. Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities, network shares, e-mail attachments, remote network exploits, among others. The payload may include embedded files that are dropped onto the system, or downloaded later after the initial infection.
W32/Autorun.worm.aacz is a worm that spreads over removable drives. In order to lure the user to execute the file, it uses an icon that resembles a Folder Icon.
Upon execution, the malware will try to spread to all fixed and removable drives as described below. Besides that it will drop a copy of itself in the following location:
- %Temp%\ Laui.exe
Besides creating the files in removable drives as explained above, the malware also tries to hide folders on disk, and its copies itself with same name as the folder and uses this exe to start the malware whenever the user tries to open the folder. The malware also tries to spread over network shares.
The following registry key values have been modified to the system:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,%Temp%\Laui.exe"
The above mentioned registry ensures that the worm registers into the winlogon entry with the compromised system and execute itself upon every reboot.
It also uses the links mimicking the hidden folders as a restart mechanism, since every time the user tries to open a folder in Explorer, besides it will execute the malware again.