Win32/AutoRun.KS [Threat Name] go to Threat
Win32/AutoRun.KS [Threat Variant Name]
| Category | worm |
| Size | 38400 B |
| Aliases | W32.SillyFDC (Symantec) |
| Worm.Win32.AutoRun.fgj (Kaspersky) | |
| WORM_AUTORUN.DNN (TrendMicro) |
Short description
Win32/Autorun.KS is a worm that spreads via removable media. The worm contains a backdoor. The file is run-time compressed using Petite .
Installation
When executed, the worm creates the following folder:
- C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\
The following files are dropped in the same folder:
- vsounds.exe (38400 B)
- Desktop.ini (62 B)
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
- "StubPath" = "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\vsounds.exe"
The following Registry entry is deleted:
- [HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components]
- "{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}"
The worm creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Spreading on removable media
The worm creates the following folders:
- %drive%\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\
The following files are dropped in the same folder:
- vsounds.exe (38400 B)
- Desktop.ini (62 B)
The worm creates the following file:
- %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Payload information
Win32/Autorun.KS installs a backdoor that can be controlled remotely.
The worm connects to the following address:
- naseb.nad123nad.com
The IRC protocol is used.
It can be controlled remotely.
It can execute the following operations:
- perform DoS/DDoS attacks