Sonicwall Signatures


Go to All Categories list.

AutoRun.TET is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. AutoRun.TET has a file size of 32,256 bytes. AutoRun.TET drops the following files on the hard drive:
  • c:\sample.exe (32256 bytes)
  • C:\WINDOWS\system32\csrsc.exe (32256 bytes)
It also changes Windows registry:
  • Creates key "HKLM\Software\\Microsoft\\Windows".
  • Sets value "onstared"="c:\sample.exe" in key "HKLM\Software\\Microsoft\\Windows".
  • Creates key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
  • Sets value "ImagePath"=""C:\WINDOWS\system32\csrsc.exe"" in key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
  • Sets value "DisplayName"="Windows Spool Services" in key "HKLM\System\CurrentControlSet\Services\WinSpoolSvc".
  • Creates value "C:\WINDOWS\system32\csrsc.exe"="C:\WINDOWS\system32\csrsc.exe:
  • :Enabled:Microsoft Enabled" in key "HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
AutoRun.TET configures following services on NT based machines:
  • Creates service "WinSpoolSvc (Windows Spool Services)" as ""C:\WINDOWS\system32\csrsc.exe"".
It creates the following mutex to ensure only one instance is running: Xx8K78xP.

Relevant Information