Worm

What is “Worm.Win32.AutoRun.efi”?

Malware Removal

The Worm.Win32.AutoRun.efi is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Worm.Win32.AutoRun.efi virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Creates an autorun.inf file
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Attempts to restart the guest VM
  • Installs itself for autorun at Windows startup
  • Disables host Context Menu in Taskbar and Start
  • Attempts to disable or modify Explorer Folder Options
  • Disables host Power options (shutdown, logoff, lock, change password)
  • Attempts to disable or modify the Run command from the Start menu and the New Task (Run) command from Task Manager
  • Attempts to disable System Restore
  • Attempts to modify or disable Security Center warnings
  • Creates a known Scarab-Dharma ransomware decryption instruction / key file.
  • Anomalous binary characteristics
  • Attempts to modify Explorer settings to prevent file extensions from being displayed
  • Attempts to modify Explorer settings to prevent hidden files from being displayed
  • Uses suspicious command line tools or Windows utilities

How to determine Worm.Win32.AutoRun.efi?



File Info:

name: 6FCF65CC4A4E9942656C.mlw
path: /opt/CAPEv2/storage/binaries/a220b0db272c2602fb710606b0424e07bf0daf6d53e6dee9c0bc63e55de1cc4a
crc32: 33D0FE0B
md5: 6fcf65cc4a4e9942656c489408bbcd4f
sha1: 31aa4593eae431a49c665471a7572fd25ebc366a
sha256: a220b0db272c2602fb710606b0424e07bf0daf6d53e6dee9c0bc63e55de1cc4a
sha512: a5aab20da48c0ee44584418239dd01368fcd2290c4ce6207ad421a45c5011bd405e37d38f342de6e73b6c82efb5cbc71362f9ca87e1e1dfd944a0af8d835a9aa
ssdeep: 98304:guYYYYRYYYYRYYYYRYYYYUuYYYYRYYYYRYYYYRYYYYMuYYYYRYYYYRYYYYRYYYYp:9
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T1CB26CE4376238419F6A4C83D8D02466D82863F328D177CAB61993F7B3E3A0D76E56772
sha3_384: 6499b78b94b51eccd7ff8edb263df007b694d6f9db22a62271bccda79f93983daf70a1473e176421331849bf29764698
ep_bytes: b840b846005064ff3500000000648925
timestamp: 2008-05-16 04:00:12


Version Info:

Translation: 0x0409 0x04b0
ProductName: BlackHole
FileVersion: 0.00
ProductVersion: 0.00
InternalName: BlackHole
OriginalFilename: BlackHole.exe

Worm.Win32.AutoRun.efi also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
ClamAVLegacy.Trojan.Agent-1388588
FireEyeGeneric.mg.6fcf65cc4a4e9942
McAfeeGenericRXAA-AA!6FCF65CC4A4E
CylanceUnsafe
SangforTrojan.Win32.Save.a
K7AntiVirusTrojan ( 0040f6141 )
BitDefenderGen:Trojan.Heur.@l3frDAUi!mib
K7GWTrojan ( 0040f6141 )
Cybereasonmalicious.c4a4e9
BaiduWin32.Worm.VB.k
VirITWorm.Win32.Generic.AJRP
CyrenW32/Worm.FRMW-9132
ESET-NOD32Win32/AutoRun.VB.YF
APEXMalicious
AvastWin32:Trojan-gen
CynetMalicious (score: 100)
KasperskyWorm.Win32.AutoRun.efi
NANO-AntivirusTrojan.Win32.AutoRun.bntuw
ViRobotWorm.Win32.Autorun.71680.J
MicroWorld-eScanGen:Trojan.Heur.@l3frDAUi!mib
RisingWorm.VBInjectEx!1.99E6 (RDMK:cmRtazpL7rhUJlmjTl3+thC/MRvT)
Ad-AwareGen:Trojan.Heur.@l3frDAUi!mib
EmsisoftGen:Trojan.Heur.@l3frDAUi!mib (B)
ComodoWorm.Win32.Autorun.~NIK@1k3g94
DrWebWin32.HLLW.Autoruner1.34449
VIPREWorm.Win32.Autorun.efi (v)
TrendMicroPAK_Otorun8
McAfee-GW-EditionBehavesLike.Win32.Generic.rc
SophosML/PE-A + Mal/VB-F
SentinelOneStatic AI – Malicious PE
GDataGen:Trojan.Heur.@l3frDAUi!mib
JiangminWorm/AutoRun.ikr
AviraTR/Crypt.CFI.Gen
Antiy-AVLTrojan/Generic.ASMalwS.18D54D
ArcabitTrojan.Heur.ECD18CE
ZoneAlarmWorm.Win32.AutoRun.efi
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
AhnLab-V3Worm/Win32.AutoRun.R50265
BitDefenderThetaAI:Packer.5FD9CB671D
ALYacGen:Trojan.Heur.@l3frDAUi!mib
MAXmalware (ai score=89)
VBA32Trojan.VB.gen
MalwarebytesMalware.AI.1217022996
PandaGeneric Malware
TrendMicro-HouseCallPAK_Otorun8
TencentWorm.Win32.Autorun.aax
YandexTrojan.GenAsa!6rQOIinMt0s
FortinetW32/Generic.AC.43B5!tr
AVGWin32:Trojan-gen
CrowdStrikewin/malicious_confidence_100% (D)

How to remove Worm.Win32.AutoRun.efi?

Worm.Win32.AutoRun.efi removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment