Play and let me rule your system

Today SophosLabs saw another worm that attempts to spread by copying itself to removable storage devices, creating an autorun.inf file in order to run when the device is is connected to a computer. The worm, detected as W32/Autorun-L, also does its best to make it difficult to remove it from an infected system.

Plenty of previous malware has disabled antivirus and system tools, but not quite in the same almost playful way as W32/Autorun-L. In addition to terminating security related processes it also “redirects” the execution of regedit.exe and taskmgr.exe to different games on the host machines by creating the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

Once these keys are added, whenever the user tries to start Regedit or Task manager, the sol.exe and spider.exe files are executed. It is kind of the worm to invite the system administrator to play and forget about the infection of the system!

Of course, Sophos customers are protected against this worm even prior to publication of W32/AutoRun-L.

Fortunately Sophos customers using the HIPS Suspicious Behavior Detection technology will have been protected from this threat even before our analysis.