Internet threat level: 1
Home→Descriptions→Worm.Win32.AutoRun.jw
Worm.Win32.AutoRun.jw
| Detected | Jun 01 2007 13:14 GMT |
| Released | Sep 25 2009 14:18 GMT |
| Published | Jun 01 2007 13:14 GMT |
Payload
Removal instructions
Technical Details
This file virus is a Windows PE EXE file. The file is 380 416 bytes in size. It is written in Delphi.
Installation
When launched, the virus copies its executable file as follows:
%System%\config\csrss.exe %WinDir%\media\arona.exe
It also creates the following file:
%System%\logon.bat
When this file is run, it will launch a copy of the virus:
%System%\config\csrss.exe
In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Worms" = "%System%\logon.bat"
The virus also creates the following files:
%System%\config\autorun.inf h:\autorun.inf f:\autorun.inf i:\autorun.inf g:\autorun.inf k:\autorun.inf l:\autorun.inf o:\autorun.inf j:\autorun.inf
These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.
Payload
The virus modifies values of the following system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoFolderOptions = 1
It also searches the hard disk partitions listed below for files with an ".mp3" extension:
d:\ c:\ e:\ f:\ g:\ h:\
These files wil then be deleted.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the virus process.
- Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoFolderOptions = 1 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Worms" = "%System%\logon.bat"
- Delete the following files:
%System%\config\csrss.exe %WinDir%\media\arona.exe %System%\logon.bat %System%\config\autorun.inf h:\autorun.inf f:\autorun.inf i:\autorun.inf g:\autorun.inf k:\autorun.inf l:\autorun.inf o:\autorun.inf j:\autorun.inf
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Worms spread on computer networks via network resources. Unlike Net-Worms, a user must launch a Worm in order for it to be activated.
This kind of worm searches remote computer networks and copies itself to directories that are read/write accessible (if it finds any). Furthermore, these worms either use built-in operating system functions to search for accessible network directories and/or they randomly search for computers on the Internet, connect to them, and attempt to gain full access to the disks of these computers.
This category also covers those worms which, for one reason or another, do not fit into any of the other categories defined above (e.g. worms for mobile devices).
Worm.
- Virus.
Win32. AutoRun. ah (Kaspersky Lab) - Trj/Autorun.
J (Panda) - Win32/AutoRun.
AH (Nod32) - BehavesLike:
Trojan. TaskDisabler (BitDef7) - Trojan.
Deletemp3. A (VirusBuster) - W32.
Deletemusic (NAV) - W32/Deletemp3.
worm (NAI) - WORM_DELF.
HXZ (PCCIL) - Worm.
Win32. AutoRun. ah (Rising)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.