Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Agent.RV is a worm that spreads by copying itself into the root folders of available drives. The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself into the following location:
  • %system%\IME\svchost.exe (34816 B)
The following files are dropped into the %system% folder:
  • help.cpp (21504 B)
  • help.dll (21504 B)
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon\Notify\helper]
    "DllName" = "help.dll"
    "Startup" = "help"
    "Asynchronous" = 1
    "Impersonate" = 0
Spreading
Win32/AutoRun.Agent.RV is a worm that spreads by copying itself into the root folders of available drives.

If successful the following filename is used:
  • setup.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\
    Command]
    "(Default)" = ""%program files%\Internet Explorer\iexplore.exe"
    www.nvrende.com"