We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Autorun.gen!AED
Aliases: Win32/Hipo.worm.983552 (AhnLab) W32/Zbot.I.gen!Eldorado (Command) Worm.Win32.Hipo.a (Kaspersky) Hipo.A (Norman) Worm.Hipo!1sdKR0VhQdc (VirusBuster) Win32.HLLP.Autoruner (Dr.Web) Win32/Mocalo.NAC worm (ESET) Worm.Win32.Hipo (Ikarus) W32/Autorun.worm.beg (McAfee) WORM_STRAT.GEN-3 (Trend Micro)
Summary
Worm:Win32/Autorun.gen!AED is the worm component of Backdoor:Win32/Poison.E. Variants of Worm:Win32/Autorun usually spread using methods that include, but may not be limited to, copying themselves to removable or network drives, and placing an autorun.inf file in the root directory of each affected drive in an attempt to ensure that the worm is run when the removable drive is attached, or the network drive is visited from a remote system supporting the Autorun feature.
In the wild, Worm:Win32/Autorun.gen!AED has been observed to be packaged with two components: a clean application (usually a program called "Resource Hacker") and Backdoor:Win32/Poison.E. The package containing all three components is usually created by a tool detected as Virtool:Win32/Obfuscator.C.
To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Disable Autorun functionality
This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling the Autorun functionality, please see the following article:
http://support.microsoft.com/kb/967715/
Additional remediation instructions for Worm:Win32/Autorun.gen!AED
This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:
Viewing hidden and/or system files:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Show-hidden-files
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Show-hidden-files
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/win_fcab_show_file_extensions.mspx?mfr=true
