This application requires Javascript for optimal performance.

W32/AutoRun.NGP!worm - Released Sep 12, 2008 - Last Updated Sep 15, 2008

Alias/es

Worm.Win32.AutoRun.ngp(KAV), Worm.Autorun.BGD(Virusbuster), Trojan.Autorun-284(ClamAV)

Detection Availability

	Active Database	Extended Database
FortiGate		low high
FortiClient
FortiMail		N/A

Visible Symptoms

It deletes itself from the current directory.

The following files exist:

%System%\wuauclt.exe
%System%\Cpl32ver.exe

Detailed Analysis

The behavior of this variant is very similar to W32/Agent.5190!tr.dldr.

It downloads a file from one of the following links:

http://aasz{removed}.ru/load3/ld.php?v=1&rs=%u&uid=1
http://aasz{removed}.ru/load3/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
http://aasz{removed}.ru/load3/ld.php?v=1&rs=%u&n=1&uid=1
http://aasz{removed}.ru/load3/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1
http://aasz{removed}.ru/loadx/ld.php?v=1&rs=%u&uid=1
http://aasz{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&cc=0&uid=1
http://aasz{removed}.ru/loadx/ld.php?v=1&rs=%u&n=1&uid=1
http://aasz{removed}.ru/loadx/ld.php?v=1&id=%s&rs=%u&n=1&cc=0&uid=1

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 558742

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved