W32.Autosky


Aliases: W32/Hasnot-A, Autosky
Variants: hasnot.a, Worm.W32/Autosky@SMB

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America
Removal: Easy
Platform: W32
Discovered: 22 May 2007
Damage: Medium

Characteristics: Instances of infections attributed to the W32.Autosky Worm revealed that this malware is capable of using removable storage devices as a transport media. This threat was also designed as a network aware Worm allowing it to use weakly protected network shares.

More details about W32.Autosky

The directories Program Files, Windows, and Documents and Settings are some of the most targeted locations of this malware. It makes use of the folder and subfolders in these locations to store some of its associated files like explorer.exe, skynet.net, svchost.exe, svchoist.exe, WinNT.com, and default.pif among others. The Windows Registry is targeted by the W32.Autosky malware in order to gain the ability to execute together with the Operating System at every restart or boot up process. It also makes use of the Windows Registry to conceal itself in the file system of the infected machine. To further complicate the detection and removal process, the W32.Autosky W32.Autex.C program performs a routine which modifies the Windows Registry keys associated with critical system tools. This will result in the failure of the computer user to access these tools and manually terminate the background processes used by this malware.

According to previous reports of infections, the W32.Autosky program may terminate the regedit.exe, tommy.exe, msconfig.exe, dh3-iis.exe, and taskmgr.exe processes if it finds them running in the machine. The malware hide all folders in the infected computer system and create an executable file in the same location using the name of the folder. The result is that a compromised machine would often have folders named Driver.exe or something similar. All shared and removable drives found in the computer system will then have a copy of the autorun.inf and skynet.exe files which will allow the Worm to automatically launch when these drives are accessed. The malware may delete files with GHO, VCD, or NRG extensions.