Threat Encyclopedia

Home > Threat Center > Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Win32/AutoRun.Agent.VZ

Aliases:	Trojan-Dropper.MSIL.StubRC.ato (Kaspersky), W32.Ircbrute (Symantec), Dropper.Generic2.HTW (AVG)
Type of infiltration:	Worm
Size:	157162 B
Affected platforms:	Microsoft Windows
Signature database version:	5108 (20100512)

Short description

Win32/AutoRun.Agent.VZ is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

%system%srvhost64.exe
%windir%srvhost64.exe
%appdata%srvhost64.exe

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
Run]
"System Server Cache" = "%folder%srvhost64.exe"
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"System Server Cache" = "%folder%srvhost64.exe"

The %folder% is one of the following strings:

%system%
%windir%
%appdata%

The worm creates and runs a new thread with its own program code within the following processes:

winlogon.exe
explorer.exe

Spreading on removable media

The worm copies itself into existing folders of removable drives.

The following filename is used:

%drive%RECYCLER{36436-46377-3645c34}msconfig32.exe

The worm creates the following file:

%drive%autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:

1.privatetorrent.org
i.root-servers.net

The IRC protocol is used.

It can execute the following operations:

download files from a remote computer and/or the Internet
run executable files
open a specific URL address
collect information about the operating system used
remove itself from the infected computer

The worm may set the following Registry entries:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
App]
"new"

Quick Links: Store | Renew | Activate | Free Trial | Online Scanner | ESET vs. Competition | Press Center | ESET Blog | Threat Center | Support | Careers

All Products:

Cart About ESET Partners United States and Canada

US

Visit ESET on Facebook

Visit ESET on Google+

Follow ESET on Twitter

ESET YouTube Channel

Subscribe to ESET RSS feeds

© 2008-2013 ESET North America. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET spol. s r.o. or
ESET North America. All other names and brands are registered trademarks of their respective companies.