W32.Autex.Worm

Printer Friendly Page

Discovered: November 14, 2003
Updated: November 14, 2003 12:33:20 AM
Systems Affected: Windows

W32.Autex.Worm is a worm that can copy itself to mapped network drives.

Discovered: November 14, 2003
Updated: November 14, 2003 12:33:20 AM
Systems Affected: Windows

W32.Autex.Worm is a worm that can copy itself to mapped network drives.

First, it attempts to copy itself as to remotely mapped drives as Auto.exe and creates autorun.inf

It also copies itself as
%Program Files%\Auto.exe
%Windir%\Auto.exe
%Windir%\All Users\Desktop\Sysboy.exe
%Windir%\All Users\Start Menu\Programs\Auto.exe
%Windir%\Start Menu\Programs\Auto.exe
%Windir%\Desktop\Sysgril.exe

Adds the values:

"Explorer"="<path_to_worm>"
"Systry"="<path_to_worm>"
"Systryt"="<path_to_worm>"
"rundll32"="<path_to_worm>"
"rundll64"="<path_to_worm>"

to the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonceex
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservicesonce

so that the worm runs when you start Windows.

Sets the value:

"Start Page" = "http:/ /xxxwwwjjjhd.20forfree.com"

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main


Sets the value:

"Dowload Directory" = %Windir%

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main


Sets the value:

"first home page" = <path_to_worm>

in the registry keys:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_CLASSES_ROOT\swffile\shell\open\command
HKEY_CLASSES_ROOT\mp3file\shell\open\command
HKEY_CLASSES_ROOT\dllfile\shell\open\command
HKEY_CLASSES_ROOT\htmfile\shell\open\command


Sets the value:

"DiableRegistryTools"="111"

in the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

so that you can no longer open the registry editor.


Sets the values:

"NoFolderOptions"="111"

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


Sets the values:

"norealmode"="111"

in the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\winoldapp


Creates the registry keys:

HKEY_LOCAL_MACHINE\Software\CLASSES\Directory\shell\Winamp.Play
HKEY_LOCAL_MACHINE\Software\CLASSES\Directory\shell\Winamp.Enqueue
HKEY_LOCAL_MACHINE\Software\CLASSES\Directory\shell\Winamp.Bookmark
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}


Sets the values:

"legalnoticecaption"=<garbage>
"legalnoticetext"=<garbage>

in the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogoninstalled.