For Home

Virus Profile: Generic!atr

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/31/2007
Date Added: 1/31/2007
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Configuration file
DAT Required: 6847
Removal Instructions
   
 
 
   

Description

This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

Indication of Infection

The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section.

Methods of Infection

Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.

   

Virus Characteristics

------------Updated on 27 Feb 2013-------------------------

Aliases

  • Kaspersky    -    Worm.Win32.AutoRun.ubh
  • Fortinet        -    INF/Autorun.AFB!tr
  • Nod32          -    Win32/AutoRun.Agent.EE
  • BitDefender   -    Trojan.Autorun.AFA

Characteristics – 

Generic!atr” is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The file uses the below argument to execute the source file

  • shell\open\command=rundll system.dll,explore

The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [autorun]
  • shell\open\command=rundll system.dll,explore
  • shell\explore\command=rundll system.dll,explore

Upon execution the Auto inf file tries to launch the source file from the following the location:

  • :[Removable drive]\ system.dll [Detected as Downloader-BNM.c]
  • %SYSTEMDRIVE%\ system.dll [Detected as Downloader-BNM.c]

The above file is a worm that spreads by copying itself to system and removable drives.

------------Updated on 22 Feb 2013-------------------------

Aliases

Kaspersky    -    Worm.Win32.AutoRun.aaz.
Nod32        -    INF/Autorun worm
F-secure    -    Trojan.Autorun.Se
Avira        -    W32/Autorun.mg 

Generic!atr” is a generic detection for a configuration text file (autorun.inf) used by many worms.
This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.
Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.


The file uses the below argument to execute the source file

shell\open\Command= auto.exe

The autorun.inf is configured to launch the Worm file via the following command syntax.

[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell\Auto\command=auto.exe

Upon execution the Auto inf file tries to launch the source file from the following the location:

  • :[Removable drive]\auto.exe [Detected as BackDoor-DKA]
  • %SYSTEMDRIVE%\ auto.exe [Detected as BackDoor-DKA]

The above file is a worm that spreads by copying itself to system and removable drives.

 ------Updated on Jan 25,2012---------------------------

Aliases

  • Microsoft    -    Worm:Win32/Autorun.gen!inf
  • Norman    -    AutoRun.BI
  • Quickheal    -    W32.Autorun.Inf.Gen
  • F-secure    -    Trojan.AutorunINF.Gen
  • Comodo    -    TrojWare.Win32.GameThief.Magania.amka

Characteristics – 


Generic!atr” is a generic detection for a configuration text file (autorun.inf) used by many worms.
This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.
The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.
Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The file uses the below argument to execute the source file

  • shell\open\Command=hbs.exe

The autorun.inf is configured to launch the Worm file via the following command syntax.

;sKKiDke4siara5qa4LL8knwpqJ0Dd1aSilrjaoAoKDdledJ3c5l93j4D3wspUK2kL2w
[AutoRun]
;CDD37ldaSAf2AAs8lJd1okjJrslaqk3aaplrw4Sw4aS5jows53see9lD30ji93d22AOqdr2d5fDJ4
open=hbs.exe
;on0SeAdDskssOkjaroaio44i313DkoD2ZKeDl3qal5Ke0sJsLwj15K7s8jD
shell\open\Command=hbs.exe
;ai4rAKiaqk4foLaDUqwo2saa2s3kqXkj0jkrSq4dasJaK332kofwL1oZwK0jl3diFJlk70na2a54al95p5sdi4wfLDw1p3iw24A0
shell\open\Default=1
;iddo
shell\explore\Command=hbs.exe
;iKLr2da4wia3d9Owip1lakkoSqrkD9isSfKkwkqwi2wFZl0J1l23ard4A1Ja5DkDd54k9la2qaKA7soDs0irKwq022kqeKKfalj8srmdL2Lweejre35Ka

Upon execution the Auto inf file tries to launch the source file from the following the location:

  • :[Removable drive]\ hbs.exe [Detected as Generic PWS.ak]
  • %SYSTEMDRIVE%\ hbs.exe [Detected as Generic PWS.ak]

The above file is a worm that spreads by copying itself to system and removable drives.

 -------Updated on Dec 7,2012-----------------------------

 Aliases

  • Kaspersky    -    Worm.Win32.VB.fi
  • Microsoft    -    worm:win32/autorun!inf
  • Nod32        -    INF/Autorun worm
  • Norman    -    VBTroj.HAT


Generic!atr” is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The file uses the below argument to execute the source file

  • shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe


The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [autorun]
  • shellexecute=Recycled\Recycled\ctfmon.exe
  • shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
  • shell=Open(&0)


Upon execution the Auto inf file tries to launch the source file from the following the location:

  • :[Removable drive]\Recycled\Recycled\ctfmon.exe [Detected as FakeRecycled]
  • %SYSTEMDRIVE%\Recycled\Recycled\ctfmon.exe [Detected as FakeRecycled]


The above file is a worm that spreads by copying itself to system and removable drives. It creates a Fake recyclebin.

---Updated on Oct 08, 2012------

Aliases

  • F-secure - Worm:INF/Autorun.gen!A 
  • Microsoft - worm:win32/autorun!inf
  • Norman - AutoRun.IYB (trojan)
  • Nod32  - INF/Autorun worm

Characteristics –

Generic!atr” is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

[autorun]
OPeN=ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
IcON=%wIndIr%\sYstEm32\ShElL32.DlL,7
ACtION=Open USB
sHeLl\OpEN=oPEn
sHeLl\OpEN\cOMMaND=ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe
sHeLl\OpEN\deFaULt=1

Upon execution the Auto inf file tries to launch the source file from the following the location:

:[RemovableDrive]\ReCycLEr\S-1-5-21-1482276501-1663491937-6831267430-1013\svchost.exe [Detected as Generic.dx!cuo]

The above file is a Worm that allows unauthorized access and control of an infected machine. It connects to a remote IRC server in order to receive instruction from a remote attacker.

--Updated on December 22, 2010 ----

File Information

  • MD5  -  C2B5C216DD47159EF76B1158E4ACA837
  • SHA  - 202EBAC554FC658BD736394AE06F3ECAFAB94422

Aliases

  • BitDefender - Worm.Autorun.VLX
  • GData         - Worm.Autorun.VLX
  • Microsoft    - VirTool:INF/Autorun.gen!A
  • TrendMicro - Mal_Otorun2

This is a generic detection for a configuration text file (autorun.inf) used by many worms.

This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the trojan file via the following command syntax.

  • [AutoRun]
  • open=skg1.exe
  • shell\open\Command=skg1.exe

--------------------------------------------------------------------

This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The size for this file varies. The size differs based on the length of the filename being referenced inside the .inf file.

Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer.

The contents of the file are similar to the following:

[Autorun]
open=<WORM>.exe
shellexecute=<WORM>.exe
shell\Auto\command=<WORM>.exe

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).