Virus Profile: W32/Autorun.worm.aacz

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/15/2012
Date Added: 6/15/2012
Origin: Unknown
Length: Varies
Type: Virus
Subtype: Worm
DAT Required: 6743
Removal Instructions
   
 
 
   

Description

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Aliases –

Microsoft -  Worm:Win32/Huanot.A
Sophos  -  Mal/BigMole-B
Symantec  -  Trojan.ADH.2
Kaspersky  -  Worm.Win32.Agent.agj

Indication of Infection

Presence of above mentioned files and registry activities.

Methods of Infection

This worm may be spread by its intented method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.
   

Virus Characteristics

W32/Autorun.worm.aacz” is detection for a worm that spreads over USB devices using Autorun functionality. Worms are self-replicating malicious files that spread from computer to computer by several means but not restricted to USB Autorun functionalities, network shares, e-mail attachments, remote network exploits, among others. The payload may include embedded files that are dropped onto the system, or downloaded later after the initial infection.

W32/Autorun.worm.aacz is a worm that spreads over removable drives. In order to lure the user to execute the file, it uses an icon that resembles a Folder Icon.

Upon execution, the malware will try to spread to all fixed and removable drives as described below. Besides that it will drop a copy of itself in the following location:

  •  %Temp%\ Laui.exe
  •  %Temp%\1.exe
  • [RemovableDrive]\Laui.exe
  •  [RemovableDrive]\autorun.inf

Besides creating the files in removable drives as explained above, the malware also tries to hide folders on disk, and its copies itself with same name as the folder and uses this exe to start the malware whenever the user tries to open the folder. The malware also tries to spread over network shares.

The following registry key values have been modified to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "%Windir%\system32\userinit.exe,%Temp%\Laui.exe"

The above mentioned registry ensures that the worm registers into the winlogon entry with the compromised system and execute itself upon every reboot.

It also uses the links mimicking the hidden folders as a restart mechanism, since every time the user tries to open a folder in Explorer, besides it will execute the malware again.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95