Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.Autoit.CT

Aliases:Generic2_c.PPF (AVG), Autoit_gen.A (Norman) 
Type of infiltration:Worm  
Size:1137995 B 
Affected platforms:Microsoft Windows 
Signature database version:5168 (20100603) 

Short description

Win32/AutoRun.Autoit.CT is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm creates the following files:
  • %windir%cysrun.exe (280491 B)
  • %windir%cyswin.exe (297653 B)
  • %windir%cysusb.exe (279823 B)
  • %temp%Set0x8.dat (1137995 B)
  • %temp%Set0x4.dat (297653 B)
  • %temp%Set0x2.dat (280491 B)
  • %windir%cysrun.exe (280491 B)
  • %windir%cyswin.exe (297653 B)
  • %windir%cysusb.exe (279823 B)
  • %temp%Set0x8.dat (1137995 B)
  • %temp%Set0x4.dat (297653 B)
  • %temp%Set0x2.dat (280491 B)
  • %temp%Set0x12.dat (279823 B)
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "Cyswin" = "%windir%cyswin.exe"
    "Cysrun" = "%windir%cysrun.exe"
The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "Hidden" = 2
    "ShowSuperHidden" = 0

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • %drive%Cysset.exe (1137995 B)
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • irc.freenode.net
The IRC protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
The worm collects the following information:
  • operating system version
  • user name
  • computer IP address
  • computer name
  • list of running processes
The worm can send the information to a remote machine.

The following programs are terminated:
  • attrib.exe
  • combofix.exe
  • killbox.exe
  • msconfig.exe
  • procexp.exe
  • taskkill.exe
  • attrib.exe
  • combofix.exe
  • killbox.exe
  • msconfig.exe
  • procexp.exe
  • taskkill.exe
  • tasklist.exe
  • taskmgr.exe
The worm terminates any program that creates a window containing any of the following strings in its name:
  • Pocket Killbox
  • Process Explorer
The worm may create the following files:
  • %windir%Winysys.conf
  • %temp%MsDos.Txt
  • %temp%Setting2x.Conf
  • %temp%Setting4x.Conf