W32/Autorun.worm!ju


W32/Autorun.worm!ju may also perform the following payloads:

It will modify Windows Registry and add the following entries:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “Explorador” = “%WINDIR%\Hyden.dll.exe”
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    “matriz” = “explorer.exe Twain32.dll.exe”
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs\]
    “Hyden” = “Hyden.dll.exe”
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs\]
    “Hyden” = “Hyden.dll.exe”[%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)]

The threat will drop the following malicious files:

  • %WINDIR%\system32\Explores.exe
  • %WINDIR%\system32\Hyden.dll.exe
  • %WINDIR%\system32\Twain32.dll.exe
  • %WINDIR%\Hyden.dll.exe
  • %WINDIR%\Twain32.dll.exe

Leave a Comment