Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases:Trojan-Dropper.MSIL.StubRC.ato (Kaspersky), W32.Ircbrute (Symantec), Dropper.Generic2.HTW (AVG) 
Type of infiltration:Worm  
Size:157162 B 
Affected platforms:Microsoft Windows 
Signature database version:5108 (20100512) 

Short description

Win32/AutoRun.Agent.VZ is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.


When executed, the worm copies itself in some of the the following locations:
  • %system%srvhost64.exe
  • %windir%srvhost64.exe
  • %appdata%srvhost64.exe
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    "System Server Cache" = "%folder%srvhost64.exe"
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    "System Server Cache" = "%folder%srvhost64.exe"
The %folder% is one of the following strings:
  • %system%
  • %windir%
  • %appdata%
The worm creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe
  • explorer.exe

Spreading on removable media

The worm copies itself into existing folders of removable drives.

The following filename is used:
  • %drive%RECYCLER{36436-46377-3645c34}msconfig32.exe
The worm creates the following file:
  • %drive%autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
The IRC protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • open a specific URL address
  • collect information about the operating system used
  • remove itself from the infected computer
The worm may set the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion