For Consumer

Virus Profile: W32/Autorun.worm.ev

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/23/2009
Date Added: 3/23/2009
Origin: N/A
Length: N/A
Type: Virus
Subtype: Worm
DAT Required: 5562
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of the aforementioned files and/or registry entries.

Methods of Infection

This worm may be spread by its intented method of infected removable drives. It will autorun via either the Windows Startup program directory or an autorun.inf file.

Virus Characteristics

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes.
Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Upon execution, a message box will appear like the one below:

The following registry keys are created upon execution:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\{BD472F60-27FA-11cf-B8B4-444553540000}
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inf
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inf\OpenWithList
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inf\OpenWithProgids
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\4
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\5
  • HKEY_USERS\S-1-5-21-1614895754-1637723038-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\6

The following files are dropped on the locally infected host upon execution:.

  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\cnvpe.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\dp1.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\eAPI.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\HtmlView.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\internet.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\krnln.fnr
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\shell.fne
  • %Drive%:\Documents and Settings\Administrator\Local Settings\Temp\E_N4\spec.fne
  • %Drive%:\Documents and Settings\Administrator\Start Menu\Programs\Startup\[randomfilename].lnk
  • %WinDir%\system32\5784EE\[randomfilename].EXE
  • %WinDir%\system32\8F2E3B\cnvpe.fne
  • %WinDir%\system32\8F2E3B\dp1.fne
  • %WinDir%\system32\8F2E3B\eAPI.fne
  • %WinDir%\system32\8F2E3B\HtmlView.fne
  • %WinDir%\system32\8F2E3B\internet.fne
  • %WinDir%\system32\8F2E3B\krnln.fnr
  • %WinDir%\system32\8F2E3B\RegEx.fnr
  • %WinDir%\system32\8F2E3B\shell.fne
  • %WinDir%\system32\8F2E3B\spec.fne

When replicated to attached drives or folders, the following files are dropped:

  • %Drive%:\Recycle.exe
  • %Drive%:\autorun.inf
  • %Drive%:\System.exe




All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).