Win32/Autoit.LO [Threat Name] go to Threat

Win32/Autoit.LO [Threat Variant Name]

Category worm
Size 1579520 B
Detection created Nov 25, 2014
Detection database version 10778
Aliases Trojan.Win32.AutoIt.cfo (Kaspersky)
  Trojan.MulDrop6.51866 (Dr.Web)
  Worm:AutoIt/Ippedo.A (Microsoft)
Short description

Win32/Autoit.LO is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm creates the following files:

  • %temp%\­Systema\­AutoIt3.exe (934400 B)
  • %temp%\­Systema\­GoogleUpdate.a3x (87494 B, Win32/Autoit.LO)
  • C:\­Google\­AutoIt3.exe (934400 B)
  • C:\­Google\­GoogleUpdate.a3x (87494 B, Win32/Autoit.LO)

The C:\Google\ folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.

The worm creates the following files:

  • C:\­Google\­Windowsupdate.lnk
  • C:\­Google\­GoogleUpdate.lnk

These are shortcuts to files of the worm .

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "C:\­Google\­Windowsupdate.lnk"
    • "AdopeUpdate" = "C:\­Google\­GoogleUpdate.lnk"
    • "AdopeFlash" = "C:\­Google\­AutoIt3.exe /AutoIt3ExecuteScript C:\­Google\­GoogleUpdate.a3x"

The worm creates the following files:

  • %commonstartup%\­Windows Update.lnk
  • %commonstartup%\­GoogleUpdate.lnk

These are shortcuts to files of the worm .

This causes the worm to be executed on every system start.

The worm executes the following files:

  • %temp%\­Systema\­AutoIt3.exe %temp%\­Systema\­GoogleUpdate.a3x
  • C:\­Google\­AutoIt3.exe /AutoIt3ExecuteScript C:\­Google\­GoogleUpdate.a3x
  • cmd.exe /c start C:\­Google\­AutoIt3.exe C:\­Google\­GoogleUpdate.a3x

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

The worm attempts to delete the following file:

  • %workingfolder%\­googleupdate.vbs

The worm terminates its execution if it detects that it's running in a specific virtual environment.

Worm quits immediately if it detects loaded module within its own process containing one of the following strings in its name:

  • snxhk.dll
  • tracer.dll
  • SbieDll.dll
  • api_log.dll
  • dir_watch.dll
  • dbghelp.dll
  • monitornet.dll
  • cuckoo
  • SandCastle
  • sandbox

The worm quits immediately if it detects a running process containing one of the following strings in its name:

  • VBoxService.exe
  • VBoxTray.exe
  • guninraik.exe
  • SbieSvc.exe
  • VMwareTray.exe
  • VMwareUser.exe
  • VMwareService.exe
  • VMwareUser.exe
  • FortiTracer.exe
  • vmacthlp.exe
  • vmtoolsd.exe
  • BehaviorDumper.exe
  • FakeServer.exe
  • FakeHTTPServer.exe

The worm quits immediately if the executable file path contains one of the following strings:

  • artifact
  • sample
  • C:\­virus\­%malwarefilename%
  • C:\­%malwarefilename%

The worm quits immediately if any of the following folders/files is detected:

  • C:\­CWSandbox\­
  • C:\­python26\­
  • C:\­cuckoo\­

The worm searches for available local and removable drives.

The worm creates copies of the following files (source, destination):

  • C:\­Google\­Windowsupdate.lnk, %drive%\­Systema\­Windowsupdate.lnk
  • C:\­Google\­GoogleUpdate.lnk, %drive%\­Systema\­GoogleUpdate.lnk
  • C:\­Google\­AutoIt3.exe, %drive%\­Systema\­AutoIt3.exe
  • C:\­Google\­GoogleUpdate.a3x, %drive%\­Systema\­GoogleUpdate.a3x

The worm searches for files and folders in the root folders of removable drives.

When searching the drives, the worm creates the following file in every folder visited:

  • %foundfoldername%.lnk

The file is a shortcut to a malicious file.

The worm creates the following files:

  • %drive%\­My Games.lnk
  • %drive%\­My Pictuers.lnk
  • %drive%\­My Videos.lnk
  • %drive%\­Hot.lnk
  • %drive%\­Downloads.lnk
  • %drive%\­Movies.lnk

These are shortcuts to files of the worm .

Information stealing

The worm collects the following information:

  • computer name
  • user name
  • volume serial number
  • country
  • operating system version
  • installed antivirus software

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a URL address. The TCP protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • visit a specific website
  • simulate user's input (clicks, taps)
  • stop itself for a certain time period
  • update itself to a newer version
  • display a dialog window
  • execute shell commands
  • log off the current user
  • shut down/restart the computer

The worm sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Please enable Javascript to ensure correct displaying of this content and refresh this page.