Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionWin32/AutoRun.Agent.AO is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.
InstallationWhen executed, the worm copies itself into the following location:
The worm creates and runs a new thread with its own program code within the following processes:
- %programfiles%\Microsoft Common\svchost.exe (24576 B)
The following Registry entries are created:
This causes the worm to be executed on every application start.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%programfiles%\Microsoft Common\svchost.exe"
Spreading on removable mediaThe worm copies itself into the root folders of removable drives using the following name:
The following file is dropped in the same folder:
- %drive%\system.exe (24576 B)
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other informationThe worm contains a list of URLs. It tries to download several files from the addresses.
These are stored in the following locations:
A string with variable content is used instead of %variable% .
The files are then executed.
The HTTP protocol is used.