Word spreads in the name of "True Love"

Filed Under: Malware, SophosLabs

True love never runs smooth, they say.

Such is the case for this worm, W32/AutoRun-AOG.

W32/AutoRun-AOG comes with a few nasty surprises.

To begin with, the worm attempts to spread to network shared drives using the name "True_Love.exe" (see above picture).

Having done that, it then tries to copy itself to removable shared drives as MsRun32.exe and creates the file AUTORUN.INF on the removable drive. The file AUTORUN.INF is designed to run the worm when the drive is connected to an uninfected computer. Sophos Anti-Virus proactively detects the file AUTORUN.INF as Mal/AutoInf-A.

Some of its other nefarious activities include the ability to send messages to your buddies on Yahoo! Messenger. Naturally, these messages are not so benign either. They come nicely packaged with an attached URL link (that was known to host malware but has since been removed) and of course, the nature of the message itself tries to encourage the message recipient to click on the attached link.

Some of these messages include:

"see this comedy joke click on this link"
"Ha ha ha click on link to laugh ..."
"nice to listen .........."

And as if that is not enough damage, W32/AutoRun-AOG also disables your Windows Task Manager, stops access to the Windows Registry, kills any process related to the command terminal and proceeds to mess up your registry settings including adding functionality to ensure the worm is being run upon the next login.

Be careful of "true love", especially one that is being shared freely, you never know when you'll get infected and even more so if you don't have protection. ;-)

You might like