Home / malware Worm:Win32/Autorun.FO
First posted on 24 May 2010.
Source: SecurityHomeAliases :
Worm:Win32/Autorun.FO is also known as Trojan.Win32.VB.bmr (Kaspersky), W32/VBTroj.OIG (Norman), Trojan.VB.FCWZ (VirusBuster), Worm/VB.JX (Avira), Win32.Worm.VB.NXB (BitDefender).
Explanation :
Worm:Win32/Autorun.FO is a worm that attempts to spread via mapped writeable drives in an infected computer.
Top
Worm:Win32/Autorun.FO is a worm that attempts to spread via mapped writeable drives in an infected computer. InstallationUpon execution, Worm:Win32/Autorun.FO copies itself into the Windows folder as:%windir%\windowsmp.exe It modifies the system registry so that it automatically starts every time Windows starts up: Adds value: "windowsmp"With data: "%windir%\windowsmp.exe"In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run It then executes its copy. It also copies itself as the following:%windir%\yoos.b <system folder>\init.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Worm:Win32/Autorun.FO makes sure that one of its copies is automatically run by modifying and creating the following registry entries: Modifies value: "Userinit"From data: "<system folder>\userinit.exe,"To data: "<system folder>\userinit.exe, <system folder>\init.exe,"In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Adds value: "UI"With data: "<system folder>\userinit.exe," Adds value: "ImagePath"With data: "%windir%\yoos.b"To subkey: HKLM\SYSTEM\CurrentControlSet\Services\4LLI Spreads Via... Mapped drivesWhen the Worm:Win32/Autorun.FO executes, it enumerates all drives of the computer until a mapped drive is found. The worm attempts to copy itself to the mapped drive with the name "explorer.exe". The worm also creates an autorun configuration file named "autorun.inf" pointing to the worm executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the worm is run automatically.
Analysis by Wei LiLast update 24 May 2010
