high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | August 2008 (4.32) |
| Protection available since | 8 July 2008 07:19:03 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/AutoRun-GB is a worm for the Windows platform.
When first run W32/AutoRun-GB copies itself to
<Windows>\Tasks\csrss.exe,
<Windows>\Tasks\<Filename>.bat
and <Windows>\hackshen.exe
W32/AutoRun-GB creates the following files:
<Windows>\Tasks\wsock32.dll which is detected as Mal/Heuri-E
<Windows>\Tasks\At1.job
<Windows>\Tasks\hackshen.vbs
<Windows>\mfxixue.ini
W32/AutoRun-GB attempts to copy itself to removable drives and creates an autorun.inf file in those drives in order to execute when they are inserted into a computer running the Windows operating system.
W32/AutoRun-GB looks for process names related to security software and attempt to terminate them.
W32/AutoRun-GB also spreads to other network computers.
W32/AutoRun-GB downloads following files from preconfigured URLs then run them:
C:\WINDOWS\System32\wincap.exe
C:\WINDOWS\System32\arps.com
<Temp>\AECJ78BrDs.pif
C:\_default.pif
W32/AutoRun-GB looks for GHO files and attempt to delete them.
W32/AutoRun-GB changes host setting to deny the access of anitvirus websites
The following registry entry is created to run amvo.exe on startup:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}
stubpath
%windir%\Tasks\hackshen.vbs
|
