Selected viruses, spyware, and other threats: sorted alphabetically
Win32/AutoRun.NAT
|
Short description
Win32/AutoRun.NAT is a file infector. It is able to spread via shared folders and removable media. The virus can download and execute a file from the Internet.Installation
The virus attempts to replace the following files with a copy of itself:- %system%appmgmts.dll
- %system%browser.dll
- %system%cryptsvc.dll
- %system%es.dll
- %system%mspmsnsv.dll
- %system%mswsock.dll
- %system%appmgmts.dll
- %system%browser.dll
- %system%cryptsvc.dll
- %system%es.dll
- %system%mspmsnsv.dll
- %system%mswsock.dll
- %system%netman.dll
- %system%ntmssvc.dll
- %system%pchsvc.dll
- %system%qmgr.dll
- %system%regsvc.dll
- %system%shsvcs.dll
- %system%schedsvc.dll
- %system%ssdpsrv.dll
- %system%tapisrv.dll
- %system%upnphost.dll
- %system%xmlprov.dll
- %system%%variable%.dll
- %variable%
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Svchost]
"netsvcs" = "%variable%"
- %system%drivers%random%.sys
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
%random%]
"Start" = 3
"Type" = 1
"ImagePath" = "%system%drivers%random%.sys"
The virus may create the following files:
- C:Documents and SettingsInfotmp.txt
- C:UsersInfotmp.txt
Executable file infection
Win32/AutoRun.NAT is a file infector.The virus searches local and network drives for files with one of the following extensions:
- .exe
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 74 kB.
Spreading on removable media
The virus copies itself into existing folders of removable drives.The following filename is used:
- %drive%recycle.{645FF040-5081-101B-9F08-00AA002F954E}Set
up.exe
- %drive%autorun.inf
Spreading via shared folders
The virus searches for computers in the local network.It tries co copy itself into the root folder of the C: drive on a remote machine using the following filename:
- CONFIG.exe
The following usernames are used:
- Administrator
- Guest
- admin
- Root
- 0
- 000000
- 007
- 1
- 110
- 111
- 0
- 000000
- 007
- 1
- 110
- 111
- 1111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 1313
- 2002
- 2003
- 2112
- 2600
- 5150
- 520
- 5201314
- 54321
- 654321
- 6969
- 7777
- 88888888
- 901100
- a
- aaa
- abc
- abc
- abc123
- abcd
- admin
- admin123
- administrator
- alpha
- asdf
- baseball
- ccc
- computer
- database
- enable
- fish
- fuck
- fuckyou
- god
- godblessyou
- golf
- harley
- home
- ihavenopass
- letmein
- login
- Login
- love
- mustang
- mypass
- mypass123
- mypc
- mypc123
- owner
- pass
- pass
- passwd
- password
- pat
- patrick
- pc
- pussy
- pw
- pw123
- pwd
- qq520
- qwer
- qwerty
- root
- server
- sex
- shadow
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv
Other information
The virus checks for Internet connectivity by trying to connect to the following servers:- www.baidu.com
- 34.WAP517.MOBI
- 34.WAP517.ORG
- 34.WAP517.COM
- 34.WAP517.INFO
- 34.WAP517.ME
- 34.WAP517.US
- 34.WAP517.MOBI
- 34.WAP517.ORG
- 34.WAP517.COM
- 34.WAP517.INFO
- 34.WAP517.ME
- 34.WAP517.US
- 34.WAP517.BIZ
- 34.WAP517.NET
The file is stored in the following location:
- %temp%%variable%.rar
The file is then executed.
Win32/AutoRun.NAT is a virus that steals sensitive information.
The following information is collected:
- list of running processes
- network adapter information
The virus terminates various security related applications.
The following programs are terminated:
- 360hotfix.exe
- 360rp.exe
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360sd.exe
- 360hotfix.exe
- 360rp.exe
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360sd.exe
- 360se.exe
- 360SoftMgrSvc.exe
- 360SoftMgrSvc.exe
- 360speedld.exe
- 360tray.exe
- 360tray.exe
- ast.exe
- avcenter.exe
- avgnt.exe
- avguard.exe
- avguard.exe
- avmailc.exe
- avp.exe
- avp.exe
- avp.exe
- avwebgrd.exe
- bdagent.exe
- CCenter.exe
- ccSvcHst.exe
- ccSvcHst.exe
- ccSvcHst.exe
- ÐÞ¸´¹¤¾ß.exe
- egui.exe
- ekrn.exe
- kavstart.exe
- kissvc.exe
- kmailmon.exe
- kpfw32.exe
- kpfwsvc.exe
- krnl360svc.exe
- kswebshield.exe
- KVMonXP.kxp.KVSrvXP.exe
- kwatch.exe
- livesrv.exe
- Mcagent.exe
- mcmscsvc.exe
- McNASvc.exe
- Mcods.exe
- McProxy.exe
- McSACore.exe
- Mcshield.exe
- mcsysmon.exe
- mcvsshld.exe
- MpfSrv.exe
- MPMon.exe
- MPSVC.exe
- MPSVC1.exe
- MPSVC2.exe
- msksrver.exe
- qutmserv.exe
- RavMonD.exe
- RavTask.exe
- RsAgent.exe
- rsnetsvr.exe
- RsTray.exe
- safeboxTray.exe
- ScanFrm.exe
- seccenter.exe
- SfCtlCom.exe
- sched.exe
- sched.exe
- TMBMSRV.exe
- TmProxy.exe
- UfSeAgnt.exe
- vsserv.exe
- zhudongfangyu.exe
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsUfSeAgnt.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsTMBMSRV.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsSfCtlCom.exe]
"debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsUfSeAgnt.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsTMBMSRV.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsSfCtlCom.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsTmProxy.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360SoftMgrSvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360tray.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsqutmserv.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsbdagent.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionslivesrv.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsseccenter.e xe
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options vsserv.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMPSVC.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMPSVC1.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMPSVC2.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMPMon.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsast.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360speedld.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360SoftMgrSvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360tray.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsÐÞ¸´¹¤¾ß.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360hotfix.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360rpt.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360safe.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360safebox.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskrnl360svc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionszhudongfangyu.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360sd.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360rp.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Options360se.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionssafeboxTray.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsKVMonXP.kxp.KVSrvXP.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavp.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavp.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavp.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsRavMonD.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsRavTask.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsRsAgent.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsrsnetsvr.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsRsTray.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsScanFrm.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsCCenter.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskavstart.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskissvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskpfw32.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskpfwsvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskswebshield.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskwatch.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionskmailmon.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsegui.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsekrn.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsccSvcHst.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsccSvcHst.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsccSvcHst.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcagent.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsmcmscsvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcNASvc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcods.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcProxy.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcshield.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsmcsysmon.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsmcvsshld.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMpfSrv.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution OptionsMcSACore.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsmsksrver.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionssched.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavguard.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavmailc.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavwebgrd.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavgnt.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionssched.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavguard.exe]
"debugger" = "ntsd -d" - [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
Image File Execution Optionsavcenter.exe]
"debugger" = "ntsd -d"
