Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.AAK

Aliases:Trojan-PSW.Win32.VB.qe (Kaspersky), W32/Autorun.worm.gen (McAfee), W32.SillyDC (Symantec) 
Type of infiltration:Worm  
Size:345642 B 
Affected platforms:Microsoft Windows 
Signature database version:3455 (20080919) 

Short description

Win32/AutoRun.AAK is a worm that spreads via removable media. The file is run-time compressed using Astrum SFX.

Installation

When executed, the worm drops one of the following files in the %windir% folder:
  • services.exe (86016 B)
  • unisntlv32.exe (32768 B)
The following file is dropped into the %temp% folder:
  • rememberthis.exe (28672 B)
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components{%variable%}]
    "StubPath" = "%windir%unisntlv32.exe"
  • [HKEY_LOCAL_MACHINESOFTWARErememberthis.exerememberthis]
    "Directory" = "%programfiles%rememberthis"
    "Version" = "1.00"
    "Uninstaller" = "%windir%rememberthis uninstaller.exe"
A string with variable content is used instead of %variable%.

Spreading on removable media

The worm creates the following folders:
  • %drive%TF_ROOT
The following file is dropped in the same folder:
  • Skype.exe
The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm gathers information related to the following services:
  • PayPal
The worm can send the information to a remote machine. The worm contains an URL address. The HTTP protocol is used.

Other information

The worm may create the following folders:
  • %programfiles%rememberthis
The worm may create the following files:
  • %windir%nerodigit32.inf
  • %windir%ulodb3.ini