This application requires Javascript for optimal performance.

W32/AutoRun.FYR!tr - Released Oct 29, 2008 - Last Updated Oct 31, 2008

Alias/es

Trojan.Win32.Agent.akxw(KAV), Trojan.Auraax.A(Virusbuster), WORM_AUTORUN.DAZ(Trend)

Detection Availability

	Active Database	Extended Database
FortiGate		low high
FortiClient
FortiMail		N/A

Visible Symptoms

The following files exist under the root folder of all removeable physical partitions:

system.exe
autorun.inf

Detailed Analysis

Downloads files from the following URLs:

http://furely.r{REMOVED}ad2/ld.php?v=1&rs={RANDOM}&uid=1
http://furely.r{REMOVED}ad2/ld.php?v=1&id={RANDOM}&rs={RANDOM}&cc=0&uid=1
http://furely.r{REMOVED}ad2/ld.php?v=1&rs={RANDOM}&n=1&uid=1
http://furely.r{REMOVED}ad2/ld.php?v=1&id={RANDOM}&rs={RANDOM}&n=1&cc=0&uid=1
http://kexlup.r{REMOVED}adx/ld.php?v=1&rs={RANDOM}&uid=1
http://kexlup.r{REMOVED}adx/ld.php?v=1&id={RANDOM}&rs={RANDOM}&cc=0&uid=1
http://kexlup.r{REMOVED}adx/ld.php?v=1&rs={RANDOM}&n=1&uid=1
http://kexlup.r{REMOVED}adx/ld.php?v=1&id={RANDOM}&rs={RANDOM}&n=1&cc=0&uid=1

The behavior of this variant is very similar to W32/Agent.5190!tr.dldr. For more information, please see the description for W32/Agent.5190!tr.dldr.

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 606527

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved