Aliases: Autook, Worm.W32/[email protected]
Variants: W32/Autook

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 18 Feb 2008
Damage: Low

Characteristics: The W32.Autook Worm is considered a fast spreading threat because of its built-in ability to infect virtually all removable, fixed, and network mapped drives found in the compromised machine. This malware can therefore travel from one infected computer system to another without necessarily arousing user suspicion.

More details about W32.Autook

The initial execution of the W32.Autook malware involves the creation of an EXE and a DLL format file into the System folder of the Windows directory. These two files are assigned random filenames presumably to complicate the manner of detection. Part of the complexity associated with this threat is its ability to create an Operating System service using the Windows Registry. The role of this service is to randomly change its name at every instance the W32.Autook W32.Autex.C program is executed. This may result in multiple copies of the malware in the system registry. Normally the presence of this malware can be seen in different Windows Registry locations.

The Windows Registry keys are further modified by this malware to make sure that it will automatically load at every system boot up or startup. The W32.Autook W32.Autex.C program also uses the Windows Registry to affect the behavior of Windows Explorer as well as other system tools. After successfully modifying registry keys, this malware will attempt to contact a predetermined website to download a configuration file which will allow it to override some functions of Internet Explorer. This results in the redirection of the Web browser to malicious websites where more potentially dangerous codes will be downloaded into the machine. The files autorun.inf and auto.exe are then copied into all available drives defined in the infected computer system.