Home Malware Programs Worms Worm.AutoRun.eav

Worm.AutoRun.eav

Posted: June 24, 2011

Worm.AutoRun.eav is a worm that can duplicate itself and compromise your security to download and install other malicious programs without your consent. Worm.AutoRun.eav will create a backdoor in your security by opening ports and may also hide Worm.AutoRun.eav's activities with spoofs of native memory processes. Some versions of Worm.AutoRun.eav can also change your system settings to disable a variety of programs that could assist you in detecting or removing Worm.AutoRun.eav. Like all backdoor Trojans, Worm.AutoRun.eav is a high-priority security threat, and you should remove Worm.AutoRun.eav with appropriate anti-virus software the moment you catch Worm.AutoRun.eav on your PC.

Worm.AutoRun.eav - A Worm That's Adept at Hiding

The majority of Worm.AutoRun.eav infections have been reported to take place in 2008 and 2009, although a Worm.AutoRun.eav infection is still a threat to even the most modern Windows computers. Networked computers and computers that share removable devices are particularly vulnerable to being infected by Worm.AutoRun.eav, since standard worm functions let Worm.AutoRun.eav copy itself to network-shared locations and removable drives for automatic installation later.

Worm.AutoRun.eav infections can also be detected with the following names: Trojan.Sockrypt.Gen, BackDoor-DOQ, Worm:Win32/SillyShareCopy.gen and Virus.Win32.Lineage.351. As some of these names indicate, in addition to being a worm, Worm.AutoRun.eav can also display properties of a backdoor Trojan.

Worm.AutoRun.eav creates files like ctfmon.exe and spools.exe that imitate the baseline Windows processes that you would expect to see on any PC. Check memory usage and file locations to see if a suspicious file or memory process is really part of Windows or instead a component of Worm.AutoRun.eav.

The Worm.AutoRun.eav Trojan That Shows Your Registry No Mercy

Worm.AutoRun.eav's Trojan attributes will attack your security by way of the Windows Registry, making additions and deletions that leave your PC ripe for attack by remote criminals.

  • Worm.AutoRun.eav will open a TCP port on your computer to allow an unfettered flow of information both from and to your computer. This can allow criminals to attack and control the computer's every action from remote locations, or merely let the criminal install other malicious software such as keyloggers or rogue security programs.
  • Other system settings will also be modified, partially to perfect Worm.AutoRun.eav's disguise and partially to disable certain programs, such as VMWare. Worm.AutoRun.eav does this by changing the Windows Registry; although these changes don't harm the programs themselves, you may be unable to use the attacked programs until the Registry has been restored.

Besides disabled programs, Worm.AutoRun.eav may not give obvious indicators that Worm.AutoRun.eav is active, but you should assume that any Worm.AutoRun.eav infection is working in the background until you've taken measures to stop Worm.AutoRun.eav from starting.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 6FB219.EXE
    2 83B2C82D.DLL
    3 8EBE6FCF.DLL
    4 aebfcbddecdfffeca.dll
    5 afaadacbadddc.dll
    6 ahr.exe
    7 Application Datasvchost.exe
    8 BEA23C.EXE
    9 cftmom.exe
    10 cftmon.exe
    11 cftu.exe
    12 cmd.exe
    13 CSRSS.exe
    14 cvasds0.dll
    15 cvlu.exe
    16 E05A84.EXE
    17 explorcr.exe
    18 explorer.exe
    19 fffddeabacfda.dll
    20 FlashGuard.exe
    21 fool1.dll
    22 fuwuqi.exe
    23 guangd.exe
    24 GuelmimG.bat
    25 herss.exe
    26 iexplorer.exe
    27 Imgtask.exe
    28 init.exe
    29 ipilrws.exe
    30 JACKsmall.exe
    31 KEYBOARD.exe
    32 kislab.exe
    33 kvtrwkcc.exe
    34 lsass.exe
    35 M7K1H3A6.vbs
    36 MAgent.exe
    37 Mixa.exe
    38 Msmsgs.exe
    39 msupdt.exe
    40 ntdetect.com
    41 ohydy.exe
    42 qbbtqcy.exe
    43 rundli32.exe
    44 rundll56.exe
    45 scrss.exe
    46 scvhost.exe
    47 services.exe
    48 SilentSoftech.exe
    49 smss.exe
    50 SVCHOST.exe
    51 SVCHOST32.EXE
    52 svchots.exe
    53 sWx.exe
    54 sysdiag64.exe
    55 system.exe
    56 systtray.exe
    57 Syswin.exe
    58 Thumbs.exe
    59 tsay.exe
    60 UbiRg.exe
    61 userini.exe
    62 userinit.exe
    63 vshost32.exe
    64 Win24DLL.exe
    65 win32osf.exe
    66 WindowsLive.exe
    67 windowsmp.exe
    68 winlog.exe
    69 winlogon.exe
    70 winsys.exe
    71 XP-042EC9AF.EXE
    72 XP-09A09F1E.EXE
    73 XP-0EF5525C.EXE
    74 XP-12B7E2EE.EXE
    75 XP-12C950AE.EXE
    76 XP-17010165.EXE
    77 XP-172566D2.EXE
    78 XP-21470116.EXE
    79 XP-27EE4BE0.EXE
    80 XP-2B689D56.EXE
    81 XP-2D39A46D.EXE
    82 XP-30ABA011.EXE
    83 XP-337B8E53.EXE
    84 XP-3451AFB8.EXE
    85 XP-364C086F.EXE
    86 XP-38B8CEBE.EXE
    87 XP-3E5A95DF.EXE
    88 XP-4D887B29.EXE
    89 XP-590822A9.EXE
    90 XP-5ADC2FB8.EXE
    91 XP-5C37B42E.EXE
    92 XP-5ED4BC61.EXE
    93 XP-6A3A0D20.EXE
    94 XP-6BB4378C.EXE
    95 XP-6CF365E3.EXE
    96 XP-71F06FE8.EXE
    97 XP-822A840F.EXE
    98 XP-84978424.EXE
    99 XP-85A6D8DD.EXE
    100 XP-87B203C2.EXE
    101 XP-8F09BDB0.EXE
    102 XP-8FF03DFF.EXE
    103 XP-904B231F.EXE
    104 XP-A252657D.EXE
    105 XP-AA54AD69.EXE
    106 XP-C6BBD855.EXE
    107 XP-C748D768.EXE
    108 XP-C8889B57.EXE
    109 XP-C8C16F42.EXE
    110 XP-CE0B6B01.EXE
    111 XP-CE734A3C.EXE
    112 XP-CF959062.EXE
    113 XP-D41D8CD9.EXE
    114 XP-D754771A.EXE
    115 XP-DCB3C72C.EXE
    116 XP-DDA58EAE.EXE
    117 XP-E044478C.EXE
    118 XP-E7D6DD34.EXE
    119 XP-EA1E4442.EXE
    120 XP-F09415CE.EXE
    121 XP-F180A41E.EXE
    122 XP-F3603667.EXE
    123 XP-F787D259.EXE
    124 xxz[1].exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinitHKEY..\..\..\..{RegistryKeys}RUNNING PROGRAM\explorer.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ AppHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ E05A84HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ FlashGuardHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ ImgTaskHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ MsmsgsHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ RunJava2HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Win32 ConsoleHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ XP-27EE4BE0HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ cftmomHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ egrrgdkHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ ntuser
Loading...