Worm.JS.AutoRun

Worm.JS.AutoRun is a polymorphic worm, which makes changes to its body during proliferation, making it difficult to detect by many security programs. The spreading model of Worm.JS.AutoRun not only uses the method with a file named 'autorun.inf', but also file share websites, FTP-servers, shared folders and CD/DVDs burned on the affected PCs. Worm.JS.AutoRun creates a copy of itself in catalogues and adds its launch to auto launch. At this time Worm.JS.AutoRun checks the environment where it was initiated. If Worm.JS.AutoRun is run on a non-virtual computer system, it starts to search for active monitoring and computer security tools. If they are found, Worm.JS.AutoRun stops them from operating. Worm.JS.AutoRun receives commands via a file downloaded from the command center. These instructions are mostly about grabbing information from the infected computer system.

Specifically, cybercrooks want Worm.JS.AutoRun to gather information about the compromised PC, the computer user and the installed programs. Worm.JS.AutoRun is well-encrypted and can make changes to its form in different infections. While being run, the malevolent Java archive extracts a .dll from itself, creates a copy of itself to the temporary user catalogue and also creates a copy of the executive file 'Java.exe' from %ProgramFiles% to the same catalogue, giving it an allegedly trustworthy name and running it with the launch parameters of the copied Java archive. Then the Java archive injects the above library into the process generated to deliver Worm.JS.AutoRun to any available network sections and removable media. The started Worm.JS.AutoRun occasionally sends requests to a command center to get instructions from the cybercriminal.