How to delete Win32.AutoRun - Removal tool, fix instructions

Name: Win32.AutoRun

Aliases: Worm.Win32.AutoRun (Kaspersky), Spy-Agent.bw.gen.trojan (McAfee), W32.SillyFDC (Symantec)

Type: Worm

Size: Depends on version

First appeared on: October 10, 2007

Damage: Low

Brief Description: Win32.AutoRun is a worm that spreads via removable media.

Visible Symptoms: Win32.AutoRun creates some files listed below.

Technical description: When executed, the worm copies itself in the %programfiles%\Microsoft Common\ folder using the following filename:

wuauclt.exe

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Image File Execution Options\explorer.exe] "Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe"

This causes the worm to be executed on every application start.

The worm creates and runs a new thread with its own program code within the following processes:

%system%\svchost.exe %windir%\explorer.exe

The worm copies itself into the root folders of removable drives using the following name: system.exe

The following file is dropped in the same folder: autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The system.exe file is a copy of itself, while the autorun.inf contains the following strings:

[autorun]
;p
open=system.exe
;p
shellexecute=system.exe
;p
shell\Explore\command=system.exe
;p
shell\Open\command=system.exe
;p
shell=Explore

The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed.

The worm creates the following files: %temp%\%variable%.tmp (6656 B)

The worm may set the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon] "Userinit" = "%system%\userinit.exe,%variable1%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run] "%variable2%" = "%variable3%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List] "%variable4%" = "%variable5%:*:Enabled:%variable6%"

A string with variable content is used instead of %variable(1-6)% .

The virus may also create the following files:

%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf

These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.

Win32.AutoRun may infect the foloowing files:

%AllUsersProfile%\smss.exe
%AppData%\microsoft\windata\__arestra__best.exe
%CommonPrograms%\startup\a.m.k.b_pk.exe
%CommonPrograms%\startup\lsass.exe
%CommonPrograms%\startup\ms-dos.exe
%CommonPrograms%\startup\winlogon.exe
%FontsDir%\fonts.exe
%FontsDir%\tskmgr.exe
%ProgramFiles%\common files\system\fhxssom.exe
%ProgramFiles%\common files\system\rckywlq.exe
%ProgramFiles%\meex.exe
%ProgramFiles%\microsoft common\svchost.exe
%ProgramFiles%\microsoft common\wuauclt.exe
%Programs%\startup\kavsrv.exe
%System%\__arestra__best.exe
%System%\3c7780c0.dll
%System%\amvo.exe
%System%\amvo0.dll
%System%\amvo1.dll
%System%\amvo2.dll
%System%\ckvo.exe
%System%\ckvo0.dll
%System%\ckvo2.dll
%System%\crs.exe
%System%\csrs.exe
%System%\csrsss.exe
%System%\dllcache\default.exe
%System%\dllcache\global.exe
%System%\dllcache\spoolsv.exe
%System%\dllcache\svchost.exe
%System%\dllcache\wuauclt.exe
%System%\drivers\bfddos.sys
%System%\drivers\drivers.cab.exe
%System%\drivers\gthook.sys
%System%\drivers\suchost.exe
%System%\dx6vcl.dll
%System%\easydown.exe
%System%\explorer.exe
%System%\fsp32.exe
%System%\j3ewro.exe
%System%\javamachine.exe
%System%\kavo.exe
%System%\kavo0.dll
%System%\kavo2.dll
%System%\kxvo.exe
%System%\ms_tcp.dll
%System%\msncnfmgr.exe
%System%\mstruecrypt.exe
%System%\postcard.exe
%System%\regedit.exe
%System%\revo.exe
%System%\service.exe
%System%\sr50_32.dll
%System%\stormser.exe
%System%\svchosts.exe
%System%\sys.exe
%System%\syskernel.exe
%System%\taskmon.exe
%System%\winxpsp2.dll
%System%\wuauclt.exe
%Temp%\__arestra__best.exe
%Temp%\00055616_rar\smss.exe
%Temp%\00058eba_rar\smss.exe
%Temp%\00058eba_rar\xmss.exe
%Temp%\00058f28_rar\killer.exe
%Temp%\explorer.exe
%Temp%\ixp000.tmp\net.exe
%Temp%\msnupdater.exe
%Temp%\service.exe
%Temp%\usdeiect.com
%UserProfile%\ms_tcp.dll
%UserProfile%\smss.exe
%Windir%\csrss.exe
%Windir%\firewall.exe
%Windir%\help\hlps.exe
%Windir%\keeper.exe
%Windir%\killer.exe
%Windir%\knight.exe
%Windir%\media\wma.exe
%Windir%\msagent\svhost.exe
%Windir%\pchealth\global.exe
%Windir%\pchealth\helpctr\binaries\helphost.com
%Windir%\service.exe
%Windir%\services.exe
%Windir%\shell.exe
%Windir%\smss.exe
%Windir%\system.exe
%Windir%\system\keyboard.exe
%Windir%\system\services.exe
%Windir%\system\sysanalysis.exe
%Windir%\system\vmwareservice.exe
%Windir%\tasks\0x01xx8p.exe
%Windir%\virus.exe
%Windir%\vxds.exe
%Windir%\winsys.exe
%Windir%\xmss.exe
c:\3i.com
c:\adoberd9.0.exe
c:\autorun.exe
c:\awda2.exe

Propagation: Win32.AutoRun is a family of worms that spread via USB disks or network share disks. The worm tries to download and execute several files from the Internet.

Removal instruction:

1. Disable system restore.
2. Delete registry values created by virus.
3. Remove files dropped by virus (i.e., wuauclt.exe and autorun.inf). Do not delete system files!
4. Use free removal tool from Kaspersky Labs.