AutoRun.TET is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. AutoRun.TET has a file size of 32,256 bytes. AutoRun.TET drops the following files on the hard drive: - c:\sample.exe (32256 bytes)
- C:\WINDOWS\system32\csrsc.exe (32256 bytes)
It also changes Windows registry: - Creates key "HKLM\Software\\Microsoft\\Windows".
- Sets value "onstared"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows".
- Creates key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
- Sets value "ImagePath"=""C:\WINDOWS\system32\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
- Sets value "DisplayName"="Windows Spool Services" in key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
- Creates value "C:\WINDOWS\system32\csrsc.exe"="C:\WINDOWS\system32\csrsc.exe:
- :Enabled:Microsoft Enabled" in key "HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
AutoRun.TET configures following services on NT based machines: - Creates service "WinSpoolSvc (Windows Spool Services)" as ""C:\WINDOWS\system32\csrsc.exe"".
It creates the following mutex to ensure only one instance is running: Xx8K78xP. |
