W32/AutoRun.lw

نوع : کرم اینترنتی
محيطهاي قابل اجرا: Windows 2000,XP,NT,....
اندازه :  46,280 بایت



خصوصيات :


جزئیات و خصوصیات بدافزار W32/AutoRun.lw به شرح زیر می باشد.


 فایلهایی که بر روی سیستم ایجاد می نماید عبارتند از:

 Filename(s) نام  و مسیر فایل
 File Size اندازه فایل
 Malware Name نام بدافزار
 %Roots%\ZGTZ.PIF  46,280 bytes  W32/AutoRun.lw
 %Roots%\autorun.inf  151 bytes  ------------
 %System%\dllcache\spoolsv.exe  46,280 bytes  W32/AutoRun.lw
 %System%\ttmsjkm.dll  51,933 bytes  ------------
 c:\tm.sa  57,856 bytes  ------------

این کرم اینترنتی فایل زیر را از سیستم پاک می کند.

%System%\mfc71.dll

   با قراردادن کپی هایی از خود، به همراه فایل Autorun.inf بر روی Cool Disk باعث انتقال و انتشار خود بر روی سیستمهای متفاوت می شود.

%Removable%\ZGTZ.PIF
%Removable%\Autorun.inf

 تغییرات رجیستری سیستم، به شرح ذیل می باشد:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
internetnet = "%System%\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ImageFileExecutionOptions\360rpt.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360safe.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360safebox.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\360tray.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ANTIARP.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFile ExecutionOptions\ArSwp.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ast.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\AutoRun.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\AutoRunKiller.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\AvMonitor.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecution Options\AVP.COM]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\AVP.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\CCenter.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Frameworkservice.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\GFUpd.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\GuardField.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\HijackThis.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\IceSword.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Iparmor.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KASARP.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kav32.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KAVPFW.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kavstart.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kissvc.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kmailmon.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KPfwSvc.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KRegEx.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVMonxp.KXP]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVSrvXP.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\KVWSC.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\kwatch.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Mmsk.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\msconfig.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Navapsvc.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\nod32krn.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Nod32kui.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\PFW.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\QQDoctor.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RAV.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Ravservice.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RavStub.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RAVTRAY.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Regedit.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwmain.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwProxy.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rfwsrv.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rfwstub.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Rsaupd.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RsMain.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\rsnetsvr.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\RSTray.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Runiep.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\safeboxTray.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\ScanFrm.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\SREngLdr.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojanDetector.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\Trojanwall.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\TrojDie.KXP]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\VPC32.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\VPTRAY.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\WOPTILITIES.EXE]
debugger = "%System%\dllcache\spoolsv.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
CheckedValue ="0x00000000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"

برای بر طرف سازی اثرات تخريبی اين کرم در رجیستری، می توانيد از برنامه زير استفاده کنيد:

http://www.imenantivirus.com/RegRepair.zip

سرویسهای زیر توسط W32/AutoRun.lw متوقف می شوند:

 Name نام سرویس
 Description عنوان سرویس
 Filename(s) نام  و مسیر فایل
 ALG  Application Layer Gateway Service  %System%\alg.exe
 SharedAccess  Windows Firewall/Internet Connection Sharing (ICS)  %System%\svchost.exe -k netsvcs



© ۱۳۸۸-۱۳۷۳ آزمايشگاه تحقيقات ويروس‌های رايانه‌ای ايمن
کليه حقوق اين سايت متعلق به شركت مهران رايانه می‌باشد.