Selected viruses, spyware, and other threats: sorted alphabetically
Short description
Win32/AutoRun.Spy.Agent.E is a worm that spreads via shared folders and on removable media. Installation
The worm copies itself in the following location: - %appdata%\servicehost.exe (191488 B)
The worm creates the following file:
- %appdata%\servicehost.dll (119296 B)
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Windows\WxS\_restore\value]
"SZKRNL" = %random1%
"SZBIN" = %random2%
"SZSIP" = %random3%
"22SC" = %random4%
"SZRKY" = %random5%
"SZRKYPTH" = %random6%
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run]
"Service Host" = "%appdata%\servicehost.exe"
Spreading on removable media
The worm copies itself into existing folders of removable drives. If successful the following filename is used:
- %drive%\recycler\S-1-5-21-1060284298-507921405-725345543-1009\
autorun.exe (191488 B)
The worm creates the following file:
- %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
The worm collects the following information: - operating system version
- computer name
Other information
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). The worm contains a list of (4) URLs. It can execute the following operations:
- download files from a remote computer and/or Internet
- run executable files
- spread via MSN network
- update itself to a newer version
- spread via shared folders and P2P networks (eMule, LimeWire,
Ares, DC++)
