Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Agent.AO is a worm that spreads via removable media. The worm tries to download and execute several files from the Internet.
Installation
When executed, the worm copies itself into the following location:
  • %programfiles%\Microsoft Common\svchost.exe (24576 B)
The worm creates and runs a new thread with its own program code within the following processes:
  • %system%\svchost.exe
  • %windir%\explorer.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\explorer.exe]
    "Debugger" = "%programfiles%\Microsoft Common\svchost.exe"
This causes the worm to be executed on every application start.
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
  • %drive%\system.exe (24576 B)
The following file is dropped in the same folder:
  • autorun.inf


Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm contains a list of URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %windir%\temp\%variable%.tmp
A string with variable content is used instead of %variable% .

The files are then executed.

The HTTP protocol is used.