Win32:Rootkit-gen [Rtk] found on AutoRun.exe of my 3G mobile broadband modem!

i turned on my computer today, and avast dectected a malware called
Win:32:Rootkit-gen[Rtk] on a filename: G\AutoRun.exe
I automatically pressed delete, but action failed, even “move to chest” option failed as well.

So i went and look for this G:\AutoRun.exe file
and found that it is actually the autorun file of my 3G mobile broadband modem (Huawei)

i’ve had this modem for like a year already, and this is my first time having told that there’s a malware inside

is it false alarm or what should i do then?

thx for your help!

Upload the file to VirusTotal and post the results.

http://www.virustotal.com/analisis/0d7f5047dc75b0c1a2bf301605682ccf

is this the right one?
thank you very much!

False Positive. Send file in a password-protected zip folder to virus@avast.com with false positive in Subject and the mentioned password in the email body.

Hi gjnllh,

Establish if it is malware against this analysis of the know malware variant of AutoRun.exe:

  1. COVERT ANALYSIS OF: AUTORUN.EXE

    • File Names Used: 20
    • Paths Used: 60
    • Common File Name: AUTORUN.EXE
    • Common Path: ?:\recycler\recycler\
    • Vendor Information: No Vendor details specified
    • Version Information: 1, 0, 0, 1
    • AUTORUN.EXE may use 20 or more path and file names, these are the most common:
    • 1 :%appdata%\microsoft\onecare protection\localcopy{193FBA3C-6253-4F46-B309-8EF…EXE
    • 2 :%appdata%\microsoft\onecare protection\localcopy{54B04E19-AC3C-4D2B-8F0B-2FB…EXE
    • 3 :%appdata%\microsoft\onecare protection\localcopy{6AA98007-BC12-4B4B-B518-5C8…EXE
    • 4 :%appdata%\microsoft\onecare protection\localcopy{74ED466B-E530-418C-8CA7-50E…EXE
    • 5 :%appdata%\microsoft\onecare protection\localcopy{89A4141D-1008-4502-9740-4BF…EXE
    • 6 :%appdata%\microsoft\onecare protection\localcopy{8B7B51DD-8E00-4A70-9310-143…EXE
    • 7 :%appdata%\microsoft\onecare protection\localcopy{AC0DA932-F122-4FC8-9F14-9CF…EXE
    • 8 :%windir%\system32\bak\KOFCPFWSVCS.EXE
    • 9 :%WINDIR%\SYSTEM32\KOFCPF~1.EXE
    • 10:%WINDIR%\SYSTEM32\KOFCPFWSVCS.EXE
    • 11:?:!killbox\KOFCPFWSVCS.EXE
    • 12:?:!killbox\KOFCPFWSVCS.EXE( 1)
    • 13:?:\000900
    • File Name Structure: Normal
    • File and Path Structure: Suspicious, unusually high number of file and path combinations
  2. RELATIONSHIP ANALYSIS OF: AUTORUN.EXE

    • Malicious Objects Created: 5 objects
    • Malicious Creators: 12
    • Malware Run Keys: None
    • Self Persists:
    • Antivirus Detection: No third party antivirus detection observed
    • Anti-Spyware Detection: No third party anti-spyware detection observed
  3. ACTIVITY ANALYSIS OF: AUTORUN.EXE

    • The following behaviors have been observed for this object:
    • Installs programs.
    • Deletes programs.
    • Invokes dll components.
    • Registers Browser Help Objects.
    • Creates Run Keys.
    • Modifies the hostsfile.
    • Runs temporary programs.
    • Runs other programs.
    • Communicates with web sites using httpout protocols.
    • Hijacks running processes.
    • Creates known malware.
    • Creates copies of itself.
  4. PROPAGATION ANALYSIS OF: AUTORUN.EXE

    • Malware Group Propagation Rate: Moderate (spreading)
    • Malware Group: Covert Sys Exec
    • Copyright Prevx Limited 2005, 2006

polonus

thanks a lot for your help!! ;D

I also have this problem - Win32:Rootkit-gen [rtk] found in autorun.exe. However, I can’t send it to VirusTotal or put it into a zip folder because I receive a message which says that this (autorun.exe) is an empty file. But when I look at it, it’s definitely not empty (76kb).

What to do?

dear numb
first run the MBAM and SAS scans mentioned above while awaiting a more definitive answer
there are several autoruns malware