Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Autoit.GR

Aliases:WORM_SOHANAD.HDT (TrendMicro), Generic.dx!goq (McAfee) 
Type of infiltration:Worm  
Size:227651 B 
Affected platforms:Microsoft Windows 
Signature database version:5311 (20100725) 

Short description

Win32/Autoit.GR is a worm that spreads by copying itself into certain folders.

Installation

When executed, the worm copies itself into the following location:
  • %system%SVCHo5T.EXE
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversion
    Run]
    "SVCHO5T.EXE" = "%system%SVCHO5T.EXE"

Spreading

The worm searches local drives for files with the following file extensions:
  • *.*
The worm may replace these files with a copy of itself.

The worm also searches for folders on local drives.

When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the folder found in the search.

The filename has the following extension:
  • .exe
The worm moves the content of the following folders (source, destination):
  • %foundfolder%, %system%%foundfolder%

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • CD-CNTT-k43.exe
The following file is dropped in the same folder:
  • Daitu-Tn.txt

Other information

The worm may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesExplorer]
    "NoFolderOptions" = 1