Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.Spy.Agent.E is a worm that spreads via shared folders and on removable media.
Installation
The worm copies itself in the following location:
  • %appdata%\servicehost.exe (191488 B)

The worm creates the following file:
  • %appdata%\servicehost.dll (119296 B)

The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\Windows\WxS\_restore\value]
    "SZKRNL" = %random1%
    "SZBIN" = %random2%
    "SZSIP" = %random3%
    "22SC" = %random4%
    "SZRKY" = %random5%
    "SZRKYPTH" = %random6%
A string with variable content is used instead of %random1-6% .

In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "Service Host" = "%appdata%\servicehost.exe"
Spreading on removable media
The worm copies itself into existing folders of removable drives.

If successful the following filename is used:
  • %drive%\recycler\S-1-5-21-1060284298-507921405-725345543-1009\
    autorun.exe (191488 B)

The worm creates the following file:
  • %drive%\autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
The worm collects the following information:
  • operating system version
  • computer name
The worm can send the information to a remote machine.
Other information
The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). The worm contains a list of (4) URLs.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
  • spread via MSN network
  • update itself to a newer version
  • spread via shared folders and P2P networks (eMule, LimeWire,
    Ares, DC++)