Worm

Win32.Worm.AutoIt.Z removal instruction

Malware Removal

The Win32.Worm.AutoIt.Z is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
6-day free trial available.

What Win32.Worm.AutoIt.Z virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Anomalous file deletion behavior detected (10+)
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • Creates an autorun.inf file
  • Authenticode signature is invalid
  • Attempts to modify desktop wallpaper
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Checks for the presence of known devices from debuggers and forensic tools
  • Detects the presence of Windows Defender AV emulator via files
  • Attempts to disable System Restore
  • Attempts to disable Windows File Protection aka System File Checker.
  • Harvests cookies for information gathering
  • Attempts to modify or disable Security Center warnings
  • Attempts to modify Explorer settings to prevent file extensions from being displayed
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

How to determine Win32.Worm.AutoIt.Z?


File Info:

name: 0BC4A71ED5671D827770.mlw
path: /opt/CAPEv2/storage/binaries/2e300f78263624727402b1d8585ba74b04cd51b4fcdeade171751b74df4be74c
crc32: 89D9EA39
md5: 0bc4a71ed5671d82777048b3df610a6d
sha1: c47bfa4578e04271d33bda4ee889148fce0e7941
sha256: 2e300f78263624727402b1d8585ba74b04cd51b4fcdeade171751b74df4be74c
sha512: 737a7447099f7e29200c0ebe3ac080bb4e4bf61c1d6421ecca5083407f17529554835ea3f746141641aa17ecf8b1f124f51aa97cf9f44c26a97c7e17484d3e30
ssdeep: 6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T130B4AE2276E1B0B2E96325F00F76D728E777BC3456359447A7C02E8BAA30951973B363
sha3_384: 38d00ca3bc3f6bef1b5639d263a6a4ff31bbd7f9178e50f5faa39974fe46830f6663d0e6e61749a07302bc77f60a4b05
ep_bytes: e858b10000e917feffffb8abe44500a3
timestamp: 2007-09-10 14:57:50

Version Info:

FileDescription:
FileVersion: 6
Virus:
Translation: 0x0809 0x04b0

Win32.Worm.AutoIt.Z also known as:

BkavW32.AIDetect.malware2
tehtrisGeneric.Malware
MicroWorld-eScanWin32.Worm.AutoIt.Z
FireEyeGeneric.mg.0bc4a71ed5671d82
CAT-QuickHealWorm.AutoIt.Yuner.A
ALYacWin32.Worm.AutoIt.Z
CylanceUnsafe
SangforVirus.Win32.Save.a
K7AntiVirusTrojan ( 005506171 )
K7GWTrojan ( 005506171 )
Cybereasonmalicious.ed5671
BitDefenderThetaAI:Packer.DD8F3AD118
VirITWorm.Win32.Autoit.ZNM
CyrenAI/KillAV.A
SymantecTrojan Horse
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/Yuner.B
BaiduAutoIt.Worm.Yuner.a
TrendMicro-HouseCallMal_SHND-5
ClamAVWin.Worm.Autoit-6803981-0
KasperskyWorm.Win32.AutoRun.but
BitDefenderWin32.Worm.AutoIt.Z
NANO-AntivirusTrojan.Script.Agent.dbvlfz
SUPERAntiSpywareTrojan.Agent/Gen-Autorun
AvastAutoIt:Dropper-D [Drp]
TencentWorm.Win32.AutoRun.f
Ad-AwareWin32.Worm.AutoIt.Z
TACHYONWorm/W32.AutoRun.525840.B
EmsisoftWin32.Worm.AutoIt.Z (B)
ComodoWorm.Win32.Yuner.B@533776
DrWebWin32.HLLW.Autoruner.7343
ZillyaWorm.AutoRun.Win32.5413
TrendMicroMal_SHND-5
McAfee-GW-EditionBehavesLike.Win32.Yahlover.hh
SophosML/PE-A + W32/Sohana-CU
APEXMalicious
GDataWin32.Worm.Yuner.MDYUYH
JiangminTrojanDownloader.JS.hi
WebrootW32.Yuner.Gen
AviraWORM/AutoIt.10019
ViRobotWorm.Win32.Autorun.524620
MicrosoftPWS:Win32/Zbot!ml
CynetMalicious (score: 100)
AhnLab-V3Worm/Win32.Hybris.R3751
McAfeeW32/Yahlover.worm.gen.d
MAXmalware (ai score=89)
VBA32Trojan.Yuner.19105
MalwarebytesMalware.AI.2448720618
RisingMalware.FakeDOC/ICON!1.9C3B (CLASSIC)
YandexTrojan.Autoit.Gen.IN
IkarusWorm.Win32.AutoRun
MaxSecureWorm.AutoRun.but
FortinetW32/AutoRun.BUT!worm
AVGAutoIt:Dropper-D [Drp]
PandaTrj/Autoit.gen
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Win32.Worm.AutoIt.Z?

Win32.Worm.AutoIt.Z removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment