Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/AutoRun.VB.CH is a worm that steals sensitive information. The worm can send the information to a remote machine. The worm contains a backdoor. It can be controlled remotely.
Installation
When executed the worm copies itself in the following locations:
  • %system%\%random1%.exe (192512 B)
  • %windir%\inf\%random2%.exe (192512 B)
  • %windir%\%random3%.exe (192512 B)
  • %commonprogramfiles%\%random4%.exe (192512 B)
  • %windir%\system\%random5%.exe (192512 B)
  • %windir%\Config\%random6%.exe (192512 B)
  • %system%\%random7%.exe (192512 B)
A string with variable content is used instead of %random1-7% .

The files are then executed.

In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "tDefault" = "%system%\%random1%.exe"
    "Settings" = "%windir%\%random3%.exe"
    "SystemT" = "%windir%\system\%random5%.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\Default]
  • "001" = "%random1%"
  • "002" = "%random2%"
  • "003" = "%random3%"
  • "004" = "%random4%"
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile]
  • "EnableFirewall" = 0
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following filenames:
  • program.exe
  • arquivos.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Information stealing
Win32/AutoRun.VB.CH is a worm that steals sensitive information.

The following information is collected:
  • operating system version
  • Internet Explorer version
  • computer name
  • computer IP address
  • user name
  • list of disk devices and their type
The worm can send the information to a remote machine. The FTP protocol is used.
Other information
The worm contains a backdoor. It can be controlled remotely.

The worm is sent data and commands from a remote computer or the Internet. The worm contains a list of (1) FTP addresses.

It can execute the following operations:
  • download files from a remote computer and/or Internet
  • send files to a remote computer
  • terminate running processes
The worm creates the following files:
  • %system%\Restore\%variable%.kp_
  • %temp%\InfoCommander.txt
  • %temp%\Processos.txt
A string with variable content is used instead of %variable% .

The following programs are terminated:
  • 401COMUPD.EXE
  • ACTHOSP.EXE
  • Advchk.exe
  • alescan.exe
  • ALUNOTIFY.exe