Aliases: Trojan.Win32.Autoit.dt, WORM_AUTORUN.AB, Trojan:Win32/Meredrop, W32/YahLover.worm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 25 Jul 2007
Damage: Low

Characteristics: The malware W32.Imautorun is an autorun worm that can copy itself to all available drives and download potentially dangerous files to the target system. The Autorun feature that is exploited by this worm permits executable files on drives to be automatically executed when a drive is used. This feature functions through using the file autorun.inf. Windows will check for this file every time that a drive is used. When found: it will follow the commands within the file.

More details about W32.Imautorun

The W32.Imautorun is created to propagate across networks. It does not infect files but it may have within its code one or several payloads which can include compromised system security and data theft. This autorun worm will drop an EXE file as a copy of itself when it is run in the infected computer. It will also create an autorun.inf file with its attributes set to read only, hidden and system. This file will contain codes with random filenames predefined by the worm’s creator. It will likewise create registry entries as a part of the worm’s installation procedure and so that it will automatically execute at every Windows startup. The W32.Imautorun malware will try to retrieve a potentially malicious file from a website predetermined by its author and then delete itself after it has been run in the system.

End the worm W32.Imautorun’s running process by running the Windows Task Manager. Press Ctrl+Alt+Delete on Windows ME or 98 and Ctrl+Shift+Esc on Windows XP, 2000, Server 2003 and NT and then go to “Processes”. Locate the process run by the worm and click the button “End Process” or “End Task” (depending on the Windows OS version of the system). Close the Windows Task Manager then open it again to check if the process has been successfully ended. Next, Remove all the Autostart entries and other entries added by the worm from the registry then restore all entries that have been modified by the worm. You also have to locate all the files and the autoun.inf file added by the worm by using the "Windows’ Search" function.