Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.NAS

Aliases:Trojan.Win32.Scar.bxrc (Kaspersky), Trojan:Win32/Spawnt.A (Microsoft), Scar.gen.j trojan (McAfee) 
Type of infiltration:Virus  
Size:Variable  
Affected platforms:Microsoft Windows 
Signature database version:5039 (20100418) 

Short description

Win32/AutoRun.NAS is an overwriting file infector.

Installation

When executed, the virus copies itself into the following location:
  • %system%ntldr.exe
In order to be executed on system start, the virus sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "NT4 hosting service" = "%system%ntldr.exe"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    policiesExplorer]
    "NoDriveTypeAutoRun" = 0
    "NoDriveAutoRun" = 0

Executable file infection

Win32/AutoRun.NAS is an overwriting file infector.

The virus searches local and network drives for files with one of the following extensions:
  • .exe
Files with the following names are not infected:
  • WinNT.exe
  • *.*:Flinched

Spreading

The virus copies itself into the root folders of all drives using the following filename:
  • WinNT.exe
The following file is dropped in the same folder:
  • Autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.