You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

SpyAutorun.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

SpyAutorun.A carries out the following actions:

  • It is designed to steal confidential information about the users, like any type of passwords or email addresses, among others.
  • In order to do so,it logs the keystrokes typed by the users.
  • The information it gathers is stored in a text file that it creates in the affected system, and is then sent to one of the following email addresses:
    up.d<blocked>al1.gmail.com
    up.d    <blocked>al.gmail.com

Additionally, it carries out several modifications in the Windows Registry of the affected computer, which have the following consequences:

  • It disables the following items:
    - Windows Registry Editor.
    - Task Manager, which would prevent the user from viewing the processes that are being run.
    - Folder options from the Windows Explorer, which prevents the user from accessing the configuration menu of the folders.
    - the context menu, that is, the one that appears when right clicking the mouse.
  • It disables the following options from the Start menu:
    - Search, which allows files to be searched in a fast and straight way.
    - Run, which allows files to be run in a fast and straight way.

Infection strategy 

SpyAutorun.A creates the following files in the Windows directory:

  • LSASS.EXE, which is a copy of the worm.
  • a text file with a random name in the folder security, created by itself, in this directory. This text file contains the information that the worm has gathered by logging the keystrokes typed by the user.

 

SpyAutorun.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    System Lsass = %windir%\lsass.exe
    where %windir% is the Windows directory.
    By creating this entry, SpyAutorun.A ensures that it is un whenever Windows is started.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools = 01, 00, 00, 00
    It disables the Windows Registry Editor.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr = 01, 00, 00, 00
    It disables the Task Manager.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoFind = 01, 00, 00, 00
    It hides the option Search of the Start menu.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoRun = 01, 00, 00, 00
    It hides the option Run of the Start menu.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    NoFolderOptions = 01, 00, 00, 00
    It does not display the option Folder Options in the Windows Explorer.

Means of transmission 

SpyAutorun.A spreads through removable drives, like USB keys. In order to do so, it creates a copy of itself in these drives and it also creates an AUTORUN.INF file. This way, the copy of the worm is automatically run when any of these drives is accessed.

Further Details  

SpyAutorun.A is 37,376 bytes in size and is compressed with UPX v1.9.