Win32/AutoRun.Agent.RV [Threat Name] go to Threat

Win32/AutoRun.Agent.RV [Threat Variant Name]

Category worm
Size 34816 B
Aliases Trojan-Dropper.Win32.Agent.bcuk (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.Dropper!bcm (McAfee)
Short description

Win32/AutoRun.Agent.RV is a worm that spreads by copying itself into the root folders of available drives. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %system%\­IME\­svchost.exe (34816 B)

The following files are dropped into the %system% folder:

  • help.cpp (21504 B)
  • help.dll (21504 B)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­helper]
    • "DllName" = "help.dll"
    • "Startup" = "help"
    • "Asynchronous" = 1
    • "Impersonate" = 0
Spreading

Win32/AutoRun.Agent.RV is a worm that spreads by copying itself into the root folders of available drives.


The following filename is used:

  • setup.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­CLSID\­{871C5380-42A0-1069-A2EA-08002B30309D}\­shell\­OpenHomePage\­Command]
    • "(Default)" = ""%program files%\­Internet Explorer\­iexplore.exe" www.nvrende.com"

Please enable Javascript to ensure correct displaying of this content and refresh this page.