Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Agent.VS

Aliases:Trojan.Win32.Cosmu.pqi (Kaspersky), W32.SillyFDC (Symantec), Win32/Autorun.WT (Microsoft) 
Type of infiltration:Worm  
Size:303104 B 
Affected platforms:Microsoft Windows 
Signature database version:5201 (20100616) 

Short description

Win32/AutoRun.Agent.VS is a worm that spreads via removable media. The worm is able to log keystrokes. Worm is probably a part of other malware.

Installation

When executed the worm copies itself in the following locations:
  • C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003W
    inSysApp.exe
  • %systemdrive%Program FilesWindows AlerterWinAlert.exe
  • %systemdrive%Program FilesWindows Common
    FilesCommgr.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "WindowMessenger" =
    "C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003
    WinSysApp.exe"
    "Windows Alerter" = "%systemdrive%Program FilesWindows
    AlerterWinAlert.exe"
    "Windows Common Files Manager" = "%systemdrive%Program
    FilesWindows Common FilesCommgr.exe"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "WindowMessenger" =
    "C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003
    WinSysApp.exe"
    "Windows Alerter" = "%systemdrive%Program FilesWindows
    AlerterWinAlert.exe"
    "Windows Common Files Manager" = "%systemdrive%Program
    FilesWindows Common FilesCommgr.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "Hidden" = 2
    "ShowSuperHidden" = 0
    "SuperHidden" = 0
    "HideFileExt" = 1

Spreading

Win32/AutoRun.Agent.VS is a worm that spreads by copying itself into certain folders.

When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The name of the new file is based on the name of the folder found in the search.

The filename has the following extension:
  • .exe

Spreading on removable media

The worm copies itself into existing folders of removable drives.

The following filename is used:
  • %drive%RECYCLER%variable%.exe
A string with variable content is used instead of %variable%.

The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm may create the following files in the %drive%RECYCLER folder:
  • BNFO
  • dEsKtOp.InI

Other information

The following programs are terminated:
  • acs.exe
  • agrs.exe
  • AntiTrojan.exe
  • ants.exe
  • aswboot.exe
  • atwatch.exe
  • acs.exe
  • agrs.exe
  • AntiTrojan.exe
  • ants.exe
  • aswboot.exe
  • atwatch.exe
  • avast.exe
  • avengine.exe
  • avgcc32.exe
  • avgemc.exe
  • avgfree.exe
  • avgnt.exe
  • avgsetup.exe
  • avguard.exe
  • avnt.exe
  • avp.exe
  • avpcc.exe
  • avsched32.exe
  • bdagent.exe
  • blackice.exe
  • btdfbr.exe
  • btrl.exe
  • btscan.exe
  • ccapp.exe
  • ccleaner.exe
  • ccproxy.exe
  • ccSvcHost.exe
  • cleaner.exe
  • cmd.exe
  • EMLPROUI.exe
  • EMLPROXY.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • kavpf.exe
  • kpf4ss.exe
  • lockdown.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • McProxy.exe
  • mcregist.exe
  • mcshield.exe
  • mcsysmon.exe
  • mmc.exe
  • mpfservice.exe
  • msconfig.exe
  • navapsvc.exe
  • navw32.exe
  • nisserv.exe
  • nisum.exe
  • nod32.exe
  • nod32krn.exe
  • ONLINENT.exe
  • OPSSVC.exe
  • outpost.exe
  • pavfires.exe
  • pavproxy.exe
  • pccntmon.exe
  • persfw.exe
  • qhunpack.exe
  • QUHLPSVC.exe
  • realmon.exe
  • reg.exe
  • regedit.exe
  • rstrui.exe
  • SCANNER.exe
  • SCANWSCS.exe
  • SENSOR.exe
  • SiteAdv.exe
  • smc.exe
  • tasklist.exe
  • taumon.exe
  • tds-3.exe
  • tsnt2008.exe
  • UPSCHD.exe
  • usbguard.exe
  • vbcons.exe
  • vsserv.exe
  • vsstat.exe
  • watchdog.exe
  • YMSGRTRAY.exe
  • zapro.exe
  • zonealarm.exe
The worm is able to log keystrokes.

The data is saved in the following file:
  • C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003i
    nfo
The worm may create the following files:
  • C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003O
    nlyDbv.jpg
  • C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003b
    nf0342
  • C:RECYCLERX-1-5-21-1960408961-725345543-839522115-1003w
    ndsvc.dll