Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Agent.UP

Aliases:Trojan.Win32.Scar.buor (Kaspersky), Infostealer (Symantec), Generic.dx!paw (McAfee) 
Type of infiltration:Worm  
Size:56320 B 
Affected platforms:Microsoft Windows 
Signature database version:4829 (20100202) 

Short description

Win32/AutoRun.Agent.UP is a worm that spreads by copying itself into certain folders. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm copies itself into the following location:
  • %temp%%originalfilename%.exe (56320 B)
A string with variable content is used instead of %originalfilename%.

The worm creates the following files:
  • %temp%mxs.exe (4608 B)
  • %temp%ader.exe (26112 B)
  • %windir%mssrvcsvchost.exe (26112 B)
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "svchost" = "%windir%mssrvcsvchost.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "Userinit" = "%system%userinit.exe,%temp%%originalfilename%.exe"
The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "HideFileExt" = 2
    "Hidden" = 2
The worm creates and runs a new thread with its own program code within the following processes:
  • %system%svchost.exe
  • %windir%explorer.exe

Spreading

Win32/AutoRun.Agent.UP is a worm that spreads by copying itself into certain folders.

When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the folder found in the search.

The extension of the file is ".exe".

The worm attempts to replace the following files with a copy of itself:
  • *.exe

Other information

The worm connects to the following addresses:
  • www.microsoft.com
  • www.google.com
  • dell-d3e62f7e26
The worm contains a list of (7) URLs.

It tries to download several files from the addresses. The files are then executed.

The worm may create the following files:
  • %temp%rdl%variable%.tmp
A string with variable content is used instead of %variable%.

The worm may execute the following commands:
  • %windir%explorer.exe %path%