Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Classic Viruses / File and Boot Viruses

Virus.Win32.AutoRun.ah

Detection added May 26 2007 12:58 GMT
Update released May 26 2007 14:44 GMT
Description added Jun 01 2007
Behavior Virus

Technical details

This file virus is a Windows PE EXE file. The file is 380 416 bytes in size. It is written in Delphi.

Installation

When launched, the virus copies its executable file as follows:

%System%\config\csrss.exe
%WinDir%\media\arona.exe

It also creates the following file:

%System%\logon.bat

When this file is run, it will launch a copy of the virus:

%System%\config\csrss.exe

In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"

The virus also creates the following files:

%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf

These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.

Payload

The virus modifies values of the following system registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1

It also searches the hard disk partitions listed below for files with an ".mp3" extension:

d:\
c:\
e:\
f:\
g:\
h:\

These files wil then be deleted.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the virus process.
  2. Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry): 
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"
  4. Delete the following files: 
    %System%\config\csrss.exe
%WinDir%\media\arona.exe
%System%\logon.bat
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com