Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.FakeAlert.AF is a worm that spreads via removable media. The file is run-time compressed using FSG . It uses techniques common for rootkits.
Installation
When executed, the worm copies itself into the following location:
  • %programfiles%\Microsoft Common\svchost.exe (39936 B)
The worm creates the following files:
  • %temp%\rdl%variable%.tmp (6656 B)
A string with variable content is used instead of %variable%.

The worm creates and runs a new thread with its own program code within the following processes:
  • explorer.exe
  • svchost.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\explorer.exe]
    "Debugger" = "%programfiles%\Microsoft Common\svchost.exe"
This causes the worm to be executed on every application start.
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
  • %drive%\autorun.exe (39936 B)
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The following file is modified:
  • %system%\drivers\etc\hosts
The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:
  • #
  • 127.0.0.1 localhost
  • #
  • 92.62.101.129 google.co.uk
  • 92.62.101.129 google.co.in
The worm is sent data and commands from a remote computer or the Internet.

The worm contains a list of (3) URLs.

The worm can download and execute a file from the Internet. The HTTP protocol is used.

The worm creates copies of the following files (source, destination):
  • %system%\drivers\*.sys, %temp%\rdl%variable%.tmp
The worm attempts to replace the following files with a copy of itself:
  • %system%\drivers\*.sys
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "%filepath%" = "%filepath%:*:Enabled:EMOTIONS_EXECUTABLE"
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
    "svchost" = "%filepath%"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "svchost" = "%filepath%"