English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsWorm.Win32.AutoIt.c

Worm.Win32.AutoIt.c

Detected Sep 11 2007 12:24 GMT
Released Sep 11 2007 12:24 GMT
Published Nov 06 2007 10:27 GMT

Technical Details
Payload
Removal instructions

Technical Details

This worm creates copies of itself on local disks and write-accessible removable disks. It is a Windows PE EXE file. It is packed using UPX. The size of infected files may vary from 220KB to 275KB.

Installation

When launching, the worm copies its executable file to the Windows system and root directories: 

%WinDir%\RVHOST.exe
%System%\RVHOST.exe

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "%System%\RVHOST.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe RVHOST.exe"

Propagation

The worm copies its executable file to the root of all write-accessible removable disks under the following name:

New Folder.exe

The worm also recursively copies its executable file to all folders on removable disks. The copies of the worm will have the same name as the folder they have been copied to with an “.exe” extension.


Payload

The worm creates the following system registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableRegistryTools = 1
DisableTaskMgr = 1

By doing so, it prevents the registry editing tool and Task Manager from being launched.

The worm also terminates processes relating to some antivirus and firewall solutions.


Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Terminate the worm process by entering the following command in the command line:
    taskkill /IM RVHOST.exe
  2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
  3. Execute the following commands in the command line in order to activate the registry editor and Task Manager: 
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools
  4. In order to confirm that the parameters should be deleted, answer “y” and press Enter.
  5. Delete the following system registry key value: 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo Messengger" = "%System%\RVHOST.exe"
  6. Revert the modified registry key value to the following value: 
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "Explorer.exe"
  7. Delete the following files: 
    %WinDir%\RVHOST.exe
%System%\RVHOST.exe
  8. Delete all copies of the worm from removable disks.
  9. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).


Print
Bookmark and Share
Share
Viruses and worms
Worm

Worms spread on computer networks via network resources. Unlike Net-Worms, a user must launch a Worm in order for it to be activated.

This kind of worm searches remote computer networks and copies itself to directories that are read/write accessible (if it finds any). Furthermore, these worms either use built-in operating system functions to search for accessible network directories and/or they randomly search for computers on the Internet, connect to them, and attempt to gain full access to the disks of these computers.

This category also covers those worms which, for one reason or another, do not fit into any of the other categories defined above (e.g. worms for mobile devices).


Aliases

Worm.Win32.AutoIt.c (Kaspersky Lab) is also known as:

  • Virus: W32/YahLover.worm.gen (McAfee)
  • W32/SillyFDC-AU (Sophos)
  • W32.Autoit.Obfus-2 (ClamAV)
  • Trj/Downloader.QMY (Panda)
  • W32/Worm.FRY (FPROT)
  • Worm:Win32/Nuqel.Q (MS(OneCare))
  • Win32.HLLW.Autoruner.311 (DrWeb)
  • Win32/Hakaglan.Z worm (Nod32)
  • Trojan.Autoit.TF (BitDef7)
  • Trojan.Autoit.BF (VirusBuster)
  • Win32:AutoRun-BM [Wrm] (AVAST)
  • Virus.Win32.AutoRun.jq (Ikarus)
  • Autoit.CN (AVG)
  • blastclnnn.exe_ <<< WORM/Autorun.K (AVIRA)
  • Worm/AutoRun.K (AVIRA)
  • W32.Imaut (NAV)
  • W32/Obfuscated.H2!genr (Norman)
  • W32/YahLover.worm.gen (NAI)
  • Worm.Win32.Agent.imy (Rising)
  • Worm.Win32.AutoIt.c [AVP] (FSecure)
  • WORM_YAHLOVER.AK (TrendMicro)
  • Trojan.Autoit.BF (VirusBusterBeta)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search