WORM_AUTORUN.VT

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

It connects to a website to send and receive information.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops a copy of itself in the following folders using different file names:

• %System%\drivers\svchost.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following non-malicious file:

• %User Temp%\rs.bat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
ImagePath = %SystemRoot%\system32\drivers\svchost.exe

(Note: The default value data of the said registry entry is %SystemRoot%\system32\drivers\svchost.exe -k netsvcs.)

Other System Modifications

This worm deletes the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Parameters
ServiceDll = %System%\wuauserv.dll

Backdoor Routine

This worm connects to the following websites to send and receive information:

• {BLOCKED}99.{BLOCKED}8.org
• {BLOCKED}99.{BLOCKED}8.org:80

Other Details

This worm deletes the initially executed copy of itself