W32/Autorun.worm!ju may also perform the following payloads:
It will modify Windows Registry and add the following entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] “Explorador” = “%WINDIR%\Hyden.dll.exe”
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\] “matriz” = “explorer.exe Twain32.dll.exe”
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs\] “Hyden” = “Hyden.dll.exe”
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\] “Hyden” = “Hyden.dll.exe”[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]
The threat will drop the following malicious files:
- %WINDIR%\system32\Explores.exe
- %WINDIR%\system32\Hyden.dll.exe
- %WINDIR%\system32\Twain32.dll.exe
- %WINDIR%\Hyden.dll.exe
- %WINDIR%\Twain32.dll.exe
