Worm

Worm:Win32/Autorun.LD removal

Malware Removal

The Worm:Win32/Autorun.LD is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Worm:Win32/Autorun.LD virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Dynamic (imported) function loading detected
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Creates an autorun.inf file
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Attempts to restart the guest VM
  • Installs itself for autorun at Windows startup
  • Disables host Context Menu in Taskbar and Start
  • Attempts to disable or modify Explorer Folder Options
  • Disables host Power options (shutdown, logoff, lock, change password)
  • Attempts to disable or modify the Run command from the Start menu and the New Task (Run) command from Task Manager
  • Attempts to disable System Restore
  • Attempts to modify or disable Security Center warnings
  • Creates a known Scarab-Dharma ransomware decryption instruction / key file.
  • Anomalous binary characteristics
  • Attempts to modify Explorer settings to prevent file extensions from being displayed
  • Attempts to modify Explorer settings to prevent hidden files from being displayed

How to determine Worm:Win32/Autorun.LD?



File Info:

name: 2144314EB81B60BFD8B9.mlw
path: /opt/CAPEv2/storage/binaries/561166f75f1b5404b2b3567ad4cdba886ae0404dbd081e4c9cc129dd799c76d9
crc32: 4357122D
md5: 2144314eb81b60bfd8b9f8c198bf20d3
sha1: 459881f9546e274daf12c0d3a545bb5d4e368c1c
sha256: 561166f75f1b5404b2b3567ad4cdba886ae0404dbd081e4c9cc129dd799c76d9
sha512: ad8f8022a9987ea871c273033006f4ede0553268dd09e0f6073383861e8da24dae76c0d5f194990b527c9f8b704f2967e08259b4f3b098c94e5f1fa3211fd392
ssdeep: 1536:1LHIlfH7Q6qRBwWa2qxQFZA+j6lWWw+9yLHIlfH7Q6qRBwWa2qxQFZA+j6p:1oS6qcWjqazp6dRcoS6qcWjqazp6p
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T109C3D0437222841DF7A09878C9434A5E829A3F328917B87B64593F3B3E3D1D76F91672
sha3_384: 9d44a635781d236f260e3e1ab686726f0b56ea2152c1fd503728122f557d6251dc81a77d4aa6f6c2d6f42208b608f3d0
ep_bytes: b840b846005064ff3500000000648925
timestamp: 2008-05-16 04:00:12


Version Info:

Translation: 0x0409 0x04b0
ProductName: BlackHole
FileVersion: 0.00
ProductVersion: 0.00
InternalName: BlackHole
OriginalFilename: BlackHole.exe

Worm:Win32/Autorun.LD also known as:

BkavW32.AIDetect.malware2
LionicWorm.Win32.AutoRun.l7CB
Elasticmalicious (high confidence)
MicroWorld-eScanGen:Trojan.Heur.hi3frDAUi!mib
FireEyeGeneric.mg.2144314eb81b60bf
McAfeeGenericRXAA-AA!2144314EB81B
MalwarebytesMalware.AI.1217022996
VIPREWorm.Win32.Autorun.efi (v)
SangforTrojan.Win32.Save.a
K7AntiVirusTrojan ( 0040f6141 )
AlibabaTrojan:Win32/Starter.ali2000005
K7GWTrojan ( 0040f6141 )
Cybereasonmalicious.eb81b6
BitDefenderThetaAI:Packer.2E0724EF1D
VirITWorm.Win32.Generic.AJRP
CyrenW32/Worm.FRMW-9132
ESET-NOD32Win32/AutoRun.VB.YF
BaiduWin32.Worm.VB.k
APEXMalicious
Paloaltogeneric.ml
ClamAVLegacy.Trojan.Agent-1388588
KasperskyWorm.Win32.AutoRun.efi
BitDefenderGen:Trojan.Heur.hi3frDAUi!mib
NANO-AntivirusTrojan.Win32.AutoRun.bntuw
AvastWin32:Trojan-gen
TencentWorm.Win32.Autorun.aax
SophosML/PE-A + Mal/VB-F
ComodoWorm.Win32.Autorun.~NIK@1k3g94
DrWebWin32.HLLW.Autoruner1.34449
TrendMicroTROJ_GEN.R002C0DB322
McAfee-GW-EditionBehavesLike.Win32.Generic.cc
EmsisoftGen:Trojan.Heur.hi3frDAUi!mib (B)
SentinelOneStatic AI – Malicious PE
JiangminWorm/AutoRun.ikr
AviraTR/Crypt.CFI.Gen
Antiy-AVLTrojan/Generic.ASMalwS.18D54D
GridinsoftRansom.Win32.Sabsik.sa
MicrosoftWorm:Win32/Autorun.LD
ViRobotWorm.Win32.Autorun.71680.J
ZoneAlarmWorm.Win32.AutoRun.efi
GDataGen:Trojan.Heur.hi3frDAUi!mib
CynetMalicious (score: 100)
AhnLab-V3Worm/Win32.AutoRun.R50265
VBA32Trojan.VB.gen
ALYacGen:Trojan.Heur.hi3frDAUi!mib
MAXmalware (ai score=89)
CylanceUnsafe
TrendMicro-HouseCallTROJ_GEN.R002C0DB322
RisingWorm.VBInjectEx!1.99E6 (CLOUD)
IkarusEmail-Worm.Win32.Brontok
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Generic.AC.43B5!tr
AVGWin32:Trojan-gen
PandaGeneric Malware
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Worm:Win32/Autorun.LD?

Worm:Win32/Autorun.LD removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment