Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Autorun.KS is a worm that spreads via removable media. The trojan contains a backdoor. The file is run-time compressed using Petite .
Installation
The worm creates and runs a new thread with its own program code within the following processes:
  • explorer.exe

When executed, the worm creates the following folder:
  • C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\

The following files are dropped in the same folder:
  • vsounds.exe (38400 B)
  • Desktop.ini (62 B)

The following Registry entry is set:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
    Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
    "StubPath" = "C:\RECYCLER\
    S-1-5-21-1482476501-1644491937-682003330-1013\vsounds.exe"
The following Registry entry is deleted:
  • [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed
    Components]
    "{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}"
Spreading on removable media
The worm creates the following folders:
  • %drive%\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\


The following files are dropped in the same folder:
  • vsounds.exe (38400 B)
  • Desktop.ini (62 B)

The worm creates the following file:
  • %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Payload information
Win32/Autorun.KS installs a backdoor that can be controlled remotely.

The backdoor connects to the following address:
  • naseb.nad123nad.com
The IRC protocol is used.

It can be controlled remotely.

It can execute the following operations:
  • perform DoS/DDoS attacks