Worm:Win32/Autorun.VD is an AutoIt worm that spreads via removable drives and may download its copies from a remote Web site.
Worm:Win32/Autorun.VD may arrive in the system as several files with any of the following names:
Note that "lsass.exe", "smss.exe", and "svchost.exe" are also names used by legitimate Windows files located by default in the Windows system folder.
Worm:Win32/Autorun.VD also ensures that two of its copies automatically execute every time Windows starts by adding the following registry entry:
Adds value: "Userinit"
With data: "Userinit.exe,%windir%\AppPatch\smss.exe,%windir%\AppPatch\lsass.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Upon execution, Worm:Win32/Autorun.VD connects to the Web site "ro2games.3322.org" to download other copies of itself as the above-mentioned files (see the Installation section). At the time of this writing, the Web site it connects to is unavailable.
If the download is successful, Worm:Win32/Autorun.VD copies the downloaded files into all available removable drives using the following file names:
Analysis by Jireh Sanico