Aliases: W32/AutoRun-NV
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Oct 2007
Damage: Medium

Characteristics: The W32.usbwatch application can spread through replicating itself to removable drives and mapped. It takes user passwords and configuration information from a computer that is copromised. When this worm executes it will create some files and then creates and modifies some registry entries.

More details about W32.Usbwatch

This worm collects the information of the hard disk together with the capacity of the disk and the free space, variables that are recent environment on the computer, recently running processes, names of the user accounts, and the listing of the files, any of them, from the Drive C through the Drive H having .doc, .xls, .pdf, .ppt, .lnk extension. The worm also collects information of network configuration from the computer that is compromised. These configurations comprises the Internet proxy settings, Domain Name, ARP table entries, Host name, Local DNS server addresses, IP address, and Gateway address. Also the worm steals information from the PStore. This information is the passwords on the MSN Explorer, passwords on the Outlook Express, Internet Explorer Auto-Complete, and the passwords of the Internet Explorer for the sites of password-protected.

When the W32.Usbwatch was performed, the worm will generate files such as the %DriveLetter%\Autorun.inf, %UserProfile%\Local Settings\Temp\devwinmgmt.msc, %DriveLetter%\vmc[THREE RANDOM LETTERS].exe, %UserProfile%\Temp\getself.bat, %CurrentFolder%\svchost2.exe, %CurrentFolder%\explore.exe, %CurrentFolder%\svchost.exe, and %CurrentFolder%\wauclt.exe. Thyen the worm generates entries of the registry and then modifies it after creating these entries. The worm will then generate USBWATCHPR01, a particular mutex, so that the copy of the worm runs only on the computer that was compromised. The worm also generates a file so it performs whenever drive is being run. The harvested information was saved to particular locations. The worm also collects the information from the computer that was being compromised.