Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionWin32/AutoRun.VB.CH is a worm that steals sensitive information. The worm can send the information to a remote machine. The worm contains a backdoor. It can be controlled remotely.
InstallationWhen executed the worm copies itself in the following locations:
A string with variable content is used instead of %random1-7% .
- %system%\%random1%.exe (192512 B)
- %windir%\inf\%random2%.exe (192512 B)
- %windir%\%random3%.exe (192512 B)
- %commonprogramfiles%\%random4%.exe (192512 B)
- %windir%\system\%random5%.exe (192512 B)
- %windir%\Config\%random6%.exe (192512 B)
- %system%\%random7%.exe (192512 B)
The files are then executed.
In order to be executed on every system start, the worm sets the following Registry entries:
The following Registry entries are created:
"tDefault" = "%system%\%random1%.exe"
"Settings" = "%windir%\%random3%.exe"
"SystemT" = "%windir%\system\%random5%.exe"
The following Registry entry is set:
- "001" = "%random1%"
- "002" = "%random2%"
- "003" = "%random3%"
- "004" = "%random4%"
- "EnableFirewall" = 0
Spreading on removable mediaThe worm copies itself into the root folders of removable drives using the following filenames:
The following file is dropped in the same folder:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealingWin32/AutoRun.VB.CH is a worm that steals sensitive information.
The following information is collected:
The worm can send the information to a remote machine. The FTP protocol is used.
- operating system version
- Internet Explorer version
- computer name
- computer IP address
- user name
- list of disk devices and their type
Other informationThe worm contains a backdoor. It can be controlled remotely.
The worm is sent data and commands from a remote computer or the Internet. The worm contains a list of (1) FTP addresses.
It can execute the following operations:
The worm creates the following files:
- download files from a remote computer and/or Internet
- send files to a remote computer
- terminate running processes
A string with variable content is used instead of %variable% .
The following programs are terminated: