virus logo Virus

W32/Autorun.PNL!worm

description-logoAnalysis


W32/Agent.WJM!tr.dldr is classified as a downloader trojan.
Downloader Trojans have the capability to download other malicious files or updated versions of themselves.

  • It deletes itself from the current directory.

  • It copies itself in the undefinedProgram Filesundefined\Microsoft Common folder as wuauclt.exe.

  • It attaches itself to the Windows Explorer process.

  • It adds the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
    • value: Debugger
    • data: undefinedProgram Filesundefined\Microsoft Common\wuauclt.exe
    This is to inject wuauclt.exe  into the Windows Explorer process by installing itself as its debugger.
  • It deletes the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\{C702F274-C900-485F-A4C7-9F9DD9772A2B}\Parameters\Tcpip
    • value: DhcpDefaultGateway and DhcpSubnetMaskOpt
  • It tries to access the following URL:
    • aas[removed].ru

    recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR
    ID 569321
    Released Sep 30, 2008
    Description
    Updated    		 Sep 30, 2008
    Aliases Kaspersky: Worm.Win32.AutoRun.pnl, F-Secure: Worm:W32/AutoRun.HF
    Platform Profile Win32 file format / PE 32 bit
    Profile Type Worm (worm)