W32/AutoIt-AI

Please follow the instructions for removing worms.

W32/AutoIt-AI grinds the system to a halt. Scanning and cleanup will be much faster if the user first kills the processes occupying 99% of CPU resources.

W32/AutoIt-AI is a worm for the Windows platform.

W32/AutoIt-AI includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/AutoIt-AI copies itself to:

<Windows>\regsvr.exe
<System>\regsvr.exe

and creates the following files:

<System>\setting.ini
<System>\setup.ini
<System>\28463\svchost.exe - detected as PUA Ardamax
<System>\svchost .exe (note the extra space character) - detected as PUA Ardamax

W32/AutoIt-AI creates the following files on removable storage devices connected to the infected computer:

<Root>\autorun.inf - detected as W32/AutoIt-O
<Root>\regsvr.exe - copy of W32/AutoIt-AI

The following registry entry is created to run regsvr.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Msn Messsenger
<System>\regsvr.exe

The following registry entry is changed to run regsvr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe regsvr.exe

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0

The malware uses a folder like icon in the hope that users with file extensions hidden in the folder options will accidently execute the malware when trying to open what looks like a folder.