Worm.Win32.Autorun.cpe

The worm will disable and delete the Windows Update service.

It also downloads files from the following links:

http://www.koreaarc.com/*****/www.rar http://www.koreaard.com/*****/ppp.rar

and saves them to the Windows system directory under the following respective names:

%System%\xtemp1.exe %System%\xtemp2.exe

These files will then be launched for execution.

At the time of writing, these links were not working.

The worm creates a log file of its activity:

%System%\config\userevent.evt

It creates the following folders:

%WinDir%\web\webpf
%WinDir%\web\webdc
%WinDir%\web\webpt
%WinDir%\web\webhp
%WinDir%\web\webxs

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program

   This worm creates copies of itself on removable storage media. It is a Windows PE EXE file. It is 73728 bytes in size.

   Installation

   Once launched, the worm copies its executable file to the Windows system directory:

   %System%\ssmicrco.scr Propagation

   The worm copies its executable file to all removable media under the following name:

   <x>:\boot.pif

   In addition to its executable file, the worm also places the file shown below in the root directory of every disk:

   <x>:\autorun.inf

   <x> stands for the letter of the removable disk.

   This file will launch the worm's executable file each time the user opens the infected partition using Explorer.

   Payload