Threat Database Worms Worm:Win32/Autorun.PL


By JubileeX in Worms

Worm:Win32/Autorun.PL is a worm that replicates itself as an executable file (.exe) to any removable drives that are connected to the victimized PC. Worm:Win32/Autorun.PL also makes changes to the system file 'explorer.exe'. Worm:Win32/Autorun.PL executes the modified system file 'explorer.exe' whenever you start Windows. By substituting the system file with its own copy, Worm:Win32/Autorun.PL assures that it is loaded whenever Windows is started. Once installed and activated, Worm:Win32/Autorun.PL downloads malevolent files and modifies the Windows Registry on the affected computer system. Worm:Win32/Autorun.PL uses a string of Chinese characters for the file name, which translates to 'cool picture.exe'. Worm:Win32/Autorun.PL may use this file name in an effort to trick victims into opening the file, so that it can start and carry out its installation on the infected computer system the drive is connected to.

File System Details

Worm:Win32/Autorun.PL may create the following file(s):
# File Name Detections
1. [Chinese characters].exe
2. [system folder]\services.exe
3. [system folder]\sysanalysis.exe
4. Mourn_Operator.exe
5. [system folder]\explorer.exe[15 RANDOM DIGITS]
6. %windir%\explorer.exe[15 RANDOM DIGITS]

Registry Details

Worm:Win32/Autorun.PL may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt "CheckedValue" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "ShowSuperHidden" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = "1"


Most Viewed