Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.NAT

Aliases:Worm.Win32.Qvod.gj (Kaspersky), W32.Wapomi (Symantec), Win32.HLLW.Viking.56 (Dr. Web) 
Type of infiltration:Virus  
Size:Variable  
Affected platforms:Microsoft Windows 
Signature database version:5198 (20100615) 

Short description

Win32/AutoRun.NAT is a file infector. It is able to spread via shared folders and removable media. The virus can download and execute a file from the Internet.

Installation

The virus attempts to replace the following files with a copy of itself:
  • %system%appmgmts.dll
  • %system%browser.dll
  • %system%cryptsvc.dll
  • %system%es.dll
  • %system%mspmsnsv.dll
  • %system%mswsock.dll
  • %system%appmgmts.dll
  • %system%browser.dll
  • %system%cryptsvc.dll
  • %system%es.dll
  • %system%mspmsnsv.dll
  • %system%mswsock.dll
  • %system%netman.dll
  • %system%ntmssvc.dll
  • %system%pchsvc.dll
  • %system%qmgr.dll
  • %system%regsvc.dll
  • %system%shsvcs.dll
  • %system%schedsvc.dll
  • %system%ssdpsrv.dll
  • %system%tapisrv.dll
  • %system%upnphost.dll
  • %system%xmlprov.dll
The virus may create copies of itself using the following filenames:
  • %system%%variable%.dll
The virus registers itself as a system service using the following filenames:
  • %variable%
Instead of %variable%, the value(s) are taken from the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Svchost]
    "netsvcs" = "%variable%"
The virus creates the following files:
  • %system%drivers%random%.sys
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %random%]
    "Start" = 3
    "Type" = 1
    "ImagePath" = "%system%drivers%random%.sys"
A string with variable content is used instead of %random%.

The virus may create the following files:
  • C:Documents and SettingsInfotmp.txt
  • C:UsersInfotmp.txt

Executable file infection

Win32/AutoRun.NAT is a file infector.

The virus searches local and network drives for files with one of the following extensions:
  • .exe
Files are infected by adding a new section that contains the virus .

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The size of the inserted code is 74 kB.

Spreading on removable media

The virus copies itself into existing folders of removable drives.

The following filename is used:
  • %drive%recycle.{645FF040-5081-101B-9F08-00AA002F954E}Set
    up.exe
The virus creates the following file:
  • %drive%autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The virus searches for computers in the local network.

It tries co copy itself into the root folder of the C: drive on a remote machine using the following filename:
  • CONFIG.exe
The file is then remotely executed.

The following usernames are used:
  • Administrator
  • Guest
  • admin
  • Root
The following passwords are used:
  • 0
  • 000000
  • 007
  • 1
  • 110
  • 111
  • 0
  • 000000
  • 007
  • 1
  • 110
  • 111
  • 1111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1313
  • 2002
  • 2003
  • 2112
  • 2600
  • 5150
  • 520
  • 5201314
  • 54321
  • 654321
  • 6969
  • 7777
  • 88888888
  • 901100
  • a
  • aaa
  • abc
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • baseball
  • ccc
  • computer
  • database
  • enable
  • fish
  • fuck
  • fuckyou
  • god
  • godblessyou
  • golf
  • harley
  • home
  • ihavenopass
  • letmein
  • login
  • Login
  • love
  • mustang
  • mypass
  • mypass123
  • mypc
  • mypc123
  • owner
  • pass
  • pass
  • passwd
  • password
  • pat
  • patrick
  • pc
  • pussy
  • pw
  • pw123
  • pwd
  • qq520
  • qwer
  • qwerty
  • root
  • server
  • sex
  • shadow
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv

Other information

The virus checks for Internet connectivity by trying to connect to the following servers:
  • www.baidu.com
The virus connects to the following addresses:
  • 34.WAP517.MOBI
  • 34.WAP517.ORG
  • 34.WAP517.COM
  • 34.WAP517.INFO
  • 34.WAP517.ME
  • 34.WAP517.US
  • 34.WAP517.MOBI
  • 34.WAP517.ORG
  • 34.WAP517.COM
  • 34.WAP517.INFO
  • 34.WAP517.ME
  • 34.WAP517.US
  • 34.WAP517.BIZ
  • 34.WAP517.NET
It tries to download a file from the addresses. The HTTP protocol is used.

The file is stored in the following location:
  • %temp%%variable%.rar
A string with variable content is used instead of %variable%.

The file is then executed.

Win32/AutoRun.NAT is a virus that steals sensitive information.

The following information is collected:
  • list of running processes
  • network adapter information
The virus can send the information to a remote machine.

The virus terminates various security related applications.

The following programs are terminated:
  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360se.exe
  • 360SoftMgrSvc.exe
  • 360SoftMgrSvc.exe
  • 360speedld.exe
  • 360tray.exe
  • 360tray.exe
  • ast.exe
  • avcenter.exe
  • avgnt.exe
  • avguard.exe
  • avguard.exe
  • avmailc.exe
  • avp.exe
  • avp.exe
  • avp.exe
  • avwebgrd.exe
  • bdagent.exe
  • CCenter.exe
  • ccSvcHst.exe
  • ccSvcHst.exe
  • ccSvcHst.exe
  • ޸.exe
  • egui.exe
  • ekrn.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • krnl360svc.exe
  • kswebshield.exe
  • KVMonXP.kxp.KVSrvXP.exe
  • kwatch.exe
  • livesrv.exe
  • Mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • Mcods.exe
  • McProxy.exe
  • McSACore.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • MPMon.exe
  • MPSVC.exe
  • MPSVC1.exe
  • MPSVC2.exe
  • msksrver.exe
  • qutmserv.exe
  • RavMonD.exe
  • RavTask.exe
  • RsAgent.exe
  • rsnetsvr.exe
  • RsTray.exe
  • safeboxTray.exe
  • ScanFrm.exe
  • seccenter.exe
  • SfCtlCom.exe
  • sched.exe
  • sched.exe
  • TMBMSRV.exe
  • TmProxy.exe
  • UfSeAgnt.exe
  • vsserv.exe
  • zhudongfangyu.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsUfSeAgnt.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsTMBMSRV.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsSfCtlCom.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsUfSeAgnt.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsTMBMSRV.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsSfCtlCom.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsTmProxy.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360SoftMgrSvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360tray.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsqutmserv.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsbdagent.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionslivesrv.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsseccenter.e xe
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options vsserv.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMPSVC.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMPSVC1.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMPSVC2.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMPMon.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsast.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360speedld.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360SoftMgrSvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360tray.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options޸.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360hotfix.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360rpt.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360safe.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360safebox.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskrnl360svc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionszhudongfangyu.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360sd.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360rp.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options360se.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionssafeboxTray.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsKVMonXP.kxp.KVSrvXP.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavp.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavp.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavp.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsRavMonD.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsRavTask.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsRsAgent.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsrsnetsvr.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsRsTray.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsScanFrm.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsCCenter.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskavstart.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskissvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskpfw32.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskpfwsvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskswebshield.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskwatch.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionskmailmon.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsegui.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsekrn.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsccSvcHst.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsccSvcHst.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsccSvcHst.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcagent.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsmcmscsvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcNASvc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcods.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcProxy.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcshield.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsmcsysmon.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsmcvsshld.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMpfSrv.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution OptionsMcSACore.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsmsksrver.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionssched.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavguard.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavmailc.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavwebgrd.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavgnt.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionssched.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavguard.exe]
    "debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsavcenter.exe]
    "debugger" = "ntsd -d"
The modified Registry entries will prevent specific files from being executed.