The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Oct 30 2007 13:13 GMT
Released Oct 30 2007 13:55 GMT

This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.


Technical details

File size of 333824 bytes.


Makes copies of itself with the following names once launched:

  • Windows directory (usually, C:\Windows)%Windir%\winlogon.exe

Creates the following files on an infected computer:

  • Directory for storage of temporary files on Windows OS (usually, C:\Documents and Settings\\Local Settings\Temp)%Temp%\55.bat

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

using system services:
Service name:Windows Firewall
Displayed service name:Windows Firewall
Startup parameters Windows directory (usually, C:\Windows)%Windir%\winlogon.exe
Startup type:­automatic­

Other activities

Runs the following files (commands):

  • Windows directory (usually, C:\Windows)%Windir%\winlogon.exe (­implements multiple launch­)

Deletes the following files on an infected computer:

  • <­path to source program­><­file of source program ­>
  • Windows directory (usually, C:\Windows)%Windir%\winlogon.exe

Bookmark and Share

Worms spread on computer networks via network resources. Unlike Net-Worms, a user must launch a Worm in order for it to be activated.

This kind of worm searches remote computer networks and copies itself to directories that are read/write accessible (if it finds any). Furthermore, these worms either use built-in operating system functions to search for accessible network directories and/or they randomly search for computers on the Internet, connect to them, and attempt to gain full access to the disks of these computers.

This category also covers those worms which, for one reason or another, do not fit into any of the other categories defined above (e.g. worms for mobile devices).

Other versions


Worm.Win32.AutoRun.aol (Kaspersky Lab) is also known as:

  • Virus.Win32.AutoRun.zf (Kaspersky Lab)
  • {no name} (FPROT)
  • BackDoor.Attacker (DrWeb)
  • GenPack:Backdoor.Graybird.PD (BitDef7)
  • Backdoor.Win32.GrayBird.px (Ikarus)
  • SHeur.WCI (AVG)
  • BDS/Graybird.PD.18 (AVIRA)
  • Worm.Win32.Autorun.iwn (Rising)