Hot Articles

Autorun.AOL

tag:MS04-011.   Worm  

Autorun.AOL is a worm whose main objective is to spread and affect as many computers as possible. It uses the following means to spread:

  • via Internet, by exploiting the vulnerability called MS04-011.
  • across networks.
  • through removable drives.

Additionally, it has backdoor characteristics, as it attempts to connect to an IRC channel in order to receive instructions from its creator, such as downloading files or launching denial of service attacks, among others.

Autorun.AOL is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

Is my computer infected by Autorun.AOL?

In order to make absolutely sure that Autorun.AOL has not affected your computer, you have the following options:

  1. Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Security client, update it by clicking here.
  2. Check the computer with Panda ActiveScan, Panda Security's free, online scanner, which will quickly detect any possible viruses.
How to remove Autorun.AOL? 

If Panda Antivirus or Panda ActiveScan detects Autorun.AOL during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.

 

Additional notes:

  • After deleting this malware by following the specified steps, if your computer runs Windows Millenium, click here to find out how to eliminate it from the _Restore folder.
  • After deleting this malware by following the specified steps, if your computer runs Windows XP, click here to find out how to eliminate it from the _Restore folder.
How can I protect my computer from Autorun.AOL? 

In order to keep your computer protected, bear the following tips in mind:

  • Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
  • Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  • Keep your permanent antivirus protection enabled at all times.

For more detailed information about how to protect your computer against viruses and other threats, goto:

http://www.pandasecurity.com/homeusers/security-info/tips?sitepanda=particulares.

Autorun.AOL carries out the following actions:

  • It has backdoor characteristics, as it attempts to connect to an IRC channel by scanning the ports of the system.
  • If it connects to any of them, it remains waiting for instructions from its creator, such as downloading files or launching denial of service attacks, among others.
  • Autorun.AOL creates the file CSRSC.EXE in the Windows system directory. This file is a copy of the worm.

     

    Autorun.AOL creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Enum\Root\LEGACY_WINSPOOLSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Enum\Root\LEGACY_WINSPOOLSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINSPOOLSVC\0000 \Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSpoolSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSpoolSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\WinSpoolSvc\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINSPOOLSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINSPOOLSVC\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINSPOOLSVC\0000 \Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSpoolSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSpoolSvc\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSpoolSvc\Security
    By creating these entries, Autorun.AOL registers itself as a service called WinSpoolSVC in order to ensure that it is run whenever Windows is started.
Means of transmission 

Autorun.AOL spreads via Internet, accross networks and through removable drives.

1.- Transmission via Internet

In order to do so, it carries out the following process:

  • It attacks random IP addresses, in which it attemps to exploit the vulnerability called MS04-011.
  • If successful, it downloads and runs the worm in the vulnerable computer.

 

2.- Transmission across networks.

It follows the routine below:

  • It checks if the affected computer belongs to a network.
  • If so, the worm attempts to access network shared resources, using passwords that are typical or easy to guess.
  • If successful, it copies itself to the shared resources.
  • Additionally, it attempts to access SQL servers using the following passwords:
    12345
    123456
    1234567
    12345678
    123456789
    1234567890
    access
    accounting
    accounts
    admin
    administrador
    administrat
    administrateur
    administrator
    admins
    backup
    bitch
    blank
    brian
    changeme
    chris
    cisco
    compaq
    control
    database
    databasepass
    databasepassword
    db1234
    dbpass
    dbpassword
    default
    domain
    domainpass
    domainpassword
    exchange
    george
    guest
    hello
    homeuser
    internet
    intranet
    katie
    linux
    login
    loginpass
    nokia
    oeminstall
    oemuser
    office
    oracle
    orainstall
    outlook
    pass1234
    passwd
    password
    password1
    peter
    qwerty
    server
    siemens
    sqlpassoainstall
    staff
    student
    susan
    system
    teacher
    technical
    win2000
    win2k
    win98
    windows
    winnt
    winpass
    winxp

 

3.- Propagation through removable drives

It creates a copy of itself called AUTORUNME.EXE  in the removable devices that are connected to the computer.

©Virus-Encyclopedia.com All Rights Reserved.