Selected viruses, spyware, and other threats: sorted alphabetically
Win32/AutoRun.Autoit.CT
|
Short description
Win32/AutoRun.Autoit.CT is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.Installation
When executed, the worm creates the following files:- %windir%cysrun.exe (280491 B)
- %windir%cyswin.exe (297653 B)
- %windir%cysusb.exe (279823 B)
- %temp%Set0x8.dat (1137995 B)
- %temp%Set0x4.dat (297653 B)
- %temp%Set0x2.dat (280491 B)
- %windir%cysrun.exe (280491 B)
- %windir%cyswin.exe (297653 B)
- %windir%cysusb.exe (279823 B)
- %temp%Set0x8.dat (1137995 B)
- %temp%Set0x4.dat (297653 B)
- %temp%Set0x2.dat (280491 B)
- %temp%Set0x12.dat (279823 B)
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run]
"Cyswin" = "%windir%cyswin.exe"
"Cysrun" = "%windir%cysrun.exe"
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerAdvanced]
"Hidden" = 2
"ShowSuperHidden" = 0
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following filename:- %drive%Cysset.exe (1137995 B)
- autorun.inf
Other information
The worm acquires data and commands from a remote computer or the Internet.The worm connects to the following addresses:
- irc.freenode.net
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- operating system version
- user name
- computer IP address
- computer name
- list of running processes
The following programs are terminated:
- attrib.exe
- combofix.exe
- killbox.exe
- msconfig.exe
- procexp.exe
- taskkill.exe
- attrib.exe
- combofix.exe
- killbox.exe
- msconfig.exe
- procexp.exe
- taskkill.exe
- tasklist.exe
- taskmgr.exe
- Pocket Killbox
- Process Explorer
- %windir%Winysys.conf
- %temp%MsDos.Txt
- %temp%Setting2x.Conf
- %temp%Setting4x.Conf
