Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Agent.VC

Aliases:Worm.Win32.AutoRun.eyz (Kaspersky), Trojan:Win32/Malex.gen!F (Microsoft), W32/Autorun.worm.ec (McAfee) 
Type of infiltration:Worm  
Size:212992 B 
Affected platforms:Microsoft Windows 
Signature database version:4915 (20100304) 

Short description

Win32/AutoRun.Agent.VC is a worm that spreads via removable media. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:
  • %systemdrive%Program FilesWindows NTLove_Avengersvhost32.exe
  • %systemdrive%Documents and Settings%username%Local SettingsTempsvhost32.exe
  • %systemdrive%Program FilesWindows NTLove_Avengerfilemanager.exe
  • %systemdrive%Documents and Settings%username%Local Settingsfilemanager.exe


In order to be executed on every system start, the modifies the following Registry key:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "svhost32.exe" = "%filepath% a"
The %filepath% is one of the following strings:
  • %systemdrive%Program FilesWindows NTLove_Avengersvhost32.exe
  • %systemdrive%Documents and Settings%username%Local SettingsTempsvhost32.exe
  • %systemdrive%Program FilesWindows NTLove_Avengerfilemanager.exe
  • %systemdrive%Documents and Settings%username%Local Settingsfilemanager.exe

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • Autorun.exe
The following files are dropped in the same folder:
  • Autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects information related to the following applications:
  • ICQ6
  • KVIrc
  • Miranda IM zeleboba's pack
  • QIP2005
The worm can send the information to a remote machine.

Other information

The worm is sent data and commands from a remote computer or the Internet.

The worm contains a list of (1) addresses. The FTP protocol is used.

It can execute the following operations:
  • send files to a remote computer
  • update itself to a newer version
  • delete files
  • download files from a remote computer and/or Internet
The worm launches the following processes:
  • explorer.exe