Follow:

 

Worm:Win32/Ainslot.A


Microsoft security software detects and removes this threat.

This worm can make changes to your PC's security settings and contact a remote host for further instructions.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Disable Autorun

This threat tries to use the Windows Autorun function to spread via removable drives, like USB flash drives. You can disable Autorun to prevent worms from spreading:

Scan removable drives

Remember to scan any removable or portable drives. If you have Microsoft security software, see this topic on our software help page:

Remove program exceptions in the firewall

This threat might add itself to your Windows Firewall exception list. This means it can go online without being blocked. To remove it from the exception list, do the following:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click Allow an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you're prompted, type the password or provide confirmation.
  4. Click Change Settings. If you're prompted, type the password or provide confirmation.
  5. Select <program name> from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the menu on the left, select Windows Firewall.
  3. On the menu on the left, select Allow a program through Windows Firewall. If you are prompted, type the password or provide confirmation.
  4. Select <program name> from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions

 

Threat behavior

Installation

When run, Worm:Win32/Ainslot.A copies itself to %APPDATA%\winlogon.exe.

It changes the following registry entries to ensure that its copy runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Winlogon"
With data: "%APPDATA%\winlogon.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Winlogon"
With data: "%APPDATA%\winlogon.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "Winlogon"
With data: "%APPDATA%\winlogon.exe"

In subkey: HKLM\Software\Microsoft\Active setup\Installed components\{27de4d5a-faae-4f1c-c1d6-df3177fcda6a}
Sets value: "StubPath"
With data: "%APPDATA%\winlogon.exe"

It also creates this file in your PC as part of its installation routine:

Spreads via...

Removable drives

Worm:Win32/Ainslot.A can create the following copies on removable drives, like USB flash drives:

  • <targeted drive>:\<malware file>.exe
  • <targeted drive>:\autorun.ini

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Changes system security settings

Worm:Win32/Ainslot.A adds itself to the list of applications that are authorized to access the Internet without being stopped by your firewall, by making the following registry change:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%APPDATA%\winlogon.exe"
With data: "%APPDATA%\winlogon.exe:*:enabled:windows messanger"

Contacts servers

Worm:Win32/Ainslot.A might contact a remote server at mem0rex.no-ip.info using port 6661. Commonly, malware do this to:

  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files (including updates or additional malware)
  • Receive instruction from a hacker
  • Upload data taken from your PC

This malware description was produced and published using our automated analysis system's examination of file SHA1 3a0875a40b7eeb2b3eb893cb029c434c7d44ce0d.


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    %APPDATA%\winlogon.exe
  • You see these entries or keys in your registry:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Winlogon"
    With data: "%APPDATA%\winlogon.exe"

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Winlogon"
    With data: "%APPDATA%\winlogon.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Sets value: "Winlogon"
    With data: "%APPDATA%\winlogon.exe"

    In subkey: HKLM\Software\Microsoft\Active setup\Installed components\{27de4d5a-faae-4f1c-c1d6-df3177fcda6a}
    Sets value: "StubPath"
    With data: "%APPDATA%\winlogon.exe"


Prevention


Alert level: Severe
First detected by definition: 1.95.1867.0
Latest detected by definition: 1.187.403.0 and higher
First detected on: Dec 15, 2010
This entry was first published on: Dec 24, 2010
This entry was updated on: Mar 14, 2014

This threat is also detected as:
  • TROJ_GEN.UAE171Y (Trend Micro)
  • Trojan.Win32.Swisyn.aedl (Kaspersky)