Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Agent.GO is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.
Installation
When executed the worm copies itself in the following locations:
  • %drive%\RECYCLER\S-%variable%\windowsupdate.com
A string with variable content is used instead of %variable% .

The worm creates and runs a new thread with its own program code within the following processes:
  • explorer.exe
  • firefox.exe
  • mozilla.exe
  • msnmsgr.exe
Spreading on removable media
The worm copies itself into existing folders of removable drives.

If successful the following filename is used:
  • %drive%\RECYCLER\S-%variable%\windowsupdate.com
A string with variable content is used instead of %variable% .

The worm creates the following file:
  • %drive%\autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm is sent data and commands from a remote computer or the Internet.

It communicates with the following server using IRC protocol:
  • fix.mainmsn.net
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • perform DoS/DDoS attacks
The following services are disabled:
  • wscsvc
  • SharedAccess
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%filepath%" = "%filepath%:*:Enabled:Microsoft Windows Update
    Platform"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    wuauserv]
    "Start" = 4