W32.Auraax


Aliases: Auraax.C, W32/Auraax.worm, W32/Autorun.QXQ!worm, Win32/Auraax.BV, Worm.AutoRun.qxq
Variants: Worm.Win32.AutoRun.qxq, Win32/Auraax.DD, BackDoor-AWQ.b, Troj/Agent-IEZ, Trojan:Win32/Emold.D

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Europe, Asia
Removal: Easy
Platform: W32
Discovered: 24 Sep 2008
Damage: Low

Characteristics: The W32.Auraax malware is part of a family of Worms with the innate ability to spread their codes to various computer systems using removable storage devices as transport media. This Worm is also known for downloading rogue applications from the predetermined websites probably controlled by its author.

More details about W32.Auraax

Initial execution of this malware will create the wuaulct.exe file in the Microsoft Common folder under the Program Files directory. This is presumed to be the main trigger file for this Worm. The W32.Auraax program will then create an autorun.inf file in the removable storage device accompanied by the system.exe file which is actually a copy of itself. This will allow the malware to use the removable device to transfer its codes to other computer systems where it will be plugged in. The autorun.inf file will ensure that the executable file will be automatically launched once the removable drive is accessed by the computer user. The W32.Auraax Worm will then corrupt the svchost.exe and Explorer.exe system processes by injecting its codes into them. The debugger key is added to the Windows Registry entry. This will ensure that the Worm is executed every time Windows Explorer is launched by the computer user.

The Windows Registry is also used by this program to make sure that the malware becomes immediately active after every restart or reboot process. The W32.Auraax program has also been noted to contact remote servers based mostly in Russia to receive additional commands from its malicious author as well as download more potentially harmful codes into the compromised machine. This means that this malware has a routine which can hook certain functionalities of the Internet Explorer Web browser and redirect it voluntarily to the malicious author's controlled websites.