Win32/AutoRun.KS [Threat Name] go to Threat

Win32/AutoRun.KS [Threat Variant Name]

Category worm
Size 38400 B
Aliases W32.SillyFDC (Symantec)
  Worm.Win32.AutoRun.fgj (Kaspersky)
  WORM_AUTORUN.DNN (TrendMicro)
Short description

Win32/Autorun.KS is a worm that spreads via removable media. The worm contains a backdoor. The file is run-time compressed using Petite .

Installation

When executed, the worm creates the following folder:

  • C:\­RECYCLER\­S-1-5-21-1482476501-1644491937-682003330-1013\­

The following files are dropped in the same folder:

  • vsounds.exe (38400 B)
  • Desktop.ini (62 B)

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
    • "StubPath" = "C:\­RECYCLER\­S-1-5-21-1482476501-1644491937-682003330-1013\­vsounds.exe"

The following Registry entry is deleted:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Active Setup\­Installed Components]
    • "{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}"

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Spreading on removable media

The worm creates the following folders:

  • %drive%\­RECYCLER\­S-1-5-21-1482476501-1644491937-682003330-1013\­

The following files are dropped in the same folder:

  • vsounds.exe (38400 B)
  • Desktop.ini (62 B)

The worm creates the following file:

  • %drive%\­autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Payload information

Win32/Autorun.KS installs a backdoor that can be controlled remotely.


The worm connects to the following address:

  • naseb.nad123nad.com

The IRC protocol is used.


It can be controlled remotely.


It can execute the following operations:

  • perform DoS/DDoS attacks

Please enable Javascript to ensure correct displaying of this content and refresh this page.