Aliases: W32/Autex.worm, Win32/HLLW.Autex, WORM_AUTEX.A, Worm/Autex, Win32/Autex.A
Variants: Win32.HLLW.Generic.60, Win32:Autex, Win32.Autex.A@mm, Worm Generic.LC, Worm/Autex.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 24 Sep 2005
Damage: Low

Characteristics: Reports of infection indicate that the W32.Autex.C program makes use of mapped network drives in the infected computer system to spread its payload to other machines. There are also instances wherein this malware has been observed to initiate some forms of keystroke logging activities.

More details about W32.Autex.C

A W32.Autex.C program infected computer system would normally have traces of the 1.com, services.exe, finder.com, explorer.com, rundll32.com, exeroute.exe, command.pif, dxdiag.com, regedit.com, msconfig.com, iexplore.com, and iexplore.pif among others in the local hard drive. Although majority of these files look like legitimate Operating System processes, the clue to the W32.Autex.C infection is that these files are normally out of place. The Worm usually places these files in the C:\ Windows, Windows\ System, Program Files\ Internet Explorer, or Program Files\ Common Files directory folders and may have a different file size compared to the legitimate Windows processes. The key Torjan Program is likewise entered into the Windows Registry entries. The key points to the location of the services.exe file and are used to make sure that the W32.Autex.C is automatically loaded on system boot up or restart.

A corresponding Windows Registry key is also created for the other files associated with this malware. This will ensure that the infection is established in the host computer system. The Check_Associations key is also placed in the Windows Registry entry. By assigning the value YES to this key, the W32.Autex.C W32.Autex.C program will be able to scan the computer system for the presence of any mapped network drive where it can install the file autorun.inf. This will ensure that this Worm will be able to penetrate other computer systems in the network environment where the infected machine is connected to.