WEEKLY REVIEW

Dangerous Trojan Activity This Week

This weeks e-threat activity has focused on dangerous trojans and variations of already public exploits. They make use of still unpatched vulnerabilities in order to spread malware.
The first e-threat we are going to look at is Win32.Worm.Autoit.AL, which is a worm that impersonates a friendly malware removing application. It copies itself into %programfiles%FlashGuardFlashGuard.exe and creates a readme.txt file which contains the following lines:

“This tiny software is used to protect removable storage devices from worms that are spread from one PC to another. ”

It creates registry keys to execute at system startup. It checks for the existence of various processes that are supposed to be malware and kills them. It also removes all files from