Short description
Win32/AutoRun.AAK is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX.
Installation
When executed, the worm drops one of the following files in the %windir% folder:
- services.exe (86016 B)
- unisntlv32.exe (32768 B)
The following file is dropped into the %temp% folder:
- rememberthis.exe (28672 B)
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
Installed Components{%variable%}]
"StubPath" = "%windir%unisntlv32.exe"
- [HKEY_LOCAL_MACHINESOFTWARErememberthis.exerememberthis]
"Directory" = "%programfiles%rememberthis"
"Version" = "1.00"
"Uninstaller" = "%windir%rememberthis uninstaller.exe"
A string with variable content is used instead of %variable%.
Spreading on removable media
The worm creates the following folders:
The following file is dropped in the same folder:
The worm creates the following file:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
The worm gathers information related to the following services:
The worm can send the information to a remote machine. The worm contains an URL address. The HTTP protocol is used.
Other information
The worm may create the following folders:
- %programfiles%rememberthis
The worm may create the following files:
- %windir%nerodigit32.inf
- %windir%ulodb3.ini
