File  Name: autorun.exe

VirusTotal Result: 4/32 (12.5%)
BitDefender     7.2     2008.04.21      BehavesLike:Win32.Malware
Ikarus  T3.1.1.26.0     2008.04.21      BehavesLike.Win32.Malware
Norman  5.80.02 2008.04.18      W32/Malware.CRSG
Prevx1  V2      2008.04.21      Worm.Mytob.Gen

File Info:
File size: 1124669 bytes
MD5...: 7ac38e256898b95ab4eb6ead32445c39
SHA1..: cd28430277e32d2bbe9a4a493f1491684a9a3ce5
SHA256: bbdbd322820b0e6f6acf4f1398b9b927c9d7176dd347d58dac2a8ca4277cf853
SHA512: 28dd3bcdb1df018c389cf55f61dca6b4cd2ed6993a57fa73c5f334654f1a10ab
830bb3cd541dfea7518fe803c795b4b23a8f4d46a1d0775df6936332addefa91

***** PE Header ****************************************************
                    Signature: 00004550
                      Machine: 014C - Intel 386
           Number of sections: 0004
              Time/Date stamp: 47CC0EF9
      Pointer to symbol table: 00000000
            Number of symbols: 00000000
      Size of optional header: 00E0
              Characteristics: 0103
                        Magic: 010B
       Linker version (major): 08
       Linker version (minor): 00
                 Size of code: 0000A000
     Size of initialized data: 00010200
   Size of uninitialized data: 00000000
       Address of entry point: 00003909
                 Base of code: 00001000
                 Base of data: 0000B000
                   Image base: 00400000
            Section alignment: 00001000
               File alignment: 00000200
           OS version (major): 0004
           OS version (minor): 0000
        Image version (major): 0000
        Image version (minor): 0000
   Sub system version (major): 0004
   Sub system version (minor): 0000
                Win32 version: 00000000
                Size of image: 0001D000
              Size of headers: 00000400
                     Checksum: 0001EACB
                   Sub system: 0002 - Windows graphical user interface (GUI) subsystem
          DLL characteristics: 0000
        Size of stack reserve: 00100000
         Size of stack commit: 00001000
         Size of heap reserve: 00100000
          Size of heap commit: 00001000
                 Loader flags: 00000000
                Number of RVA: 00000010

***** PE Structure *************************************************
entry point address.: 0x403909
time date stamp.....: 0x47cc0ef9 (Mon Mar 03 14:45:13 2008)
machine type.......: 0x14c (I386)

***** PE Sections **************************************************
 Section VirtSize VirtAddr PhysSize PhysAddr    Flags 
   .text 00009F80 00001000 0000A000 00000400 60000020
  .rdata 00002B6A 0000B000 00002C00 0000A400 40000040
   .data 00001C78 0000E000 00000E00 0000D000 C0000040
   .rsrc 0000C650 00010000 0000C800 0000DE00 40000040

Imports:
> PSAPI.DLL: EnumProcesses, GetModuleFileNameExA, EnumProcessModules
> ADVAPI32.dll: RegOpenKeyExA, InitiateSystemShutdownExA,
RegConnectRegistryA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA,
RegSetValueExA, RegEnumValueA
> KERNEL32.dll: TlsFree, SetEnvironmentVariableA, InterlockedExchange,
MultiByteToWideChar, WideCharToMultiByte, GetLastError, CloseHandle,
GetModuleFileNameA, CreateFileA, ReadFile, GetEnvironmentVariableA,
CompareStringA, CompareStringW, CreateProcessA, FindFirstFileA,
GetFileAttributesA, SetFileAttributesA, CopyFileA, WriteFile,
GetFileSizeEx, Sleep, SetFilePointer, FindNextFileA, FindClose,
ExitProcess, OpenProcess, GetACP, GetLocaleInfoA, GetThreadLocale,
GetVersionExA, GetStringTypeW, GetStringTypeA, LCMapStringW,
LCMapStringA, HeapSize, GetOEMCP, LoadLibraryA, RtlUnwind,
InitializeCriticalSection, GetCPInfo, GetCurrentProcessId, TlsSetValue,
GetTickCount, QueryPerformanceCounter, InterlockedDecrement,
GetCurrentThreadId, SetLastError, GetSystemTimeAsFileTime, HeapAlloc,
HeapFree, VirtualAlloc, GetProcAddress, GetModuleHandleA, HeapReAlloc,
GetCommandLineA, GetProcessHeap, GetStartupInfoA, TerminateProcess,
GetCurrentProcess, UnhandledExceptionFilter,
SetUnhandledExceptionFilter, IsDebuggerPresent, GetTimeZoneInformation,
DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection,
VirtualFree, HeapDestroy, HeapCreate, GetStdHandle,
FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW,
GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue,
TlsAlloc, InterlockedIncrement
> USER32.dll: DefWindowProcA, DestroyWindow, UpdateWindow, ShowWindow,
CreateWindowExA, RegisterClassExA, LoadCursorA, LoadIconA,
TranslateAcceleratorA, BeginPaint, wsprintfA, TranslateMessage,
DispatchMessageA, GetMessageA, LoadStringA, EndPaint, PostQuitMessage,
LoadAcceleratorsA, SetTimer

Process Details:
Filename:       autorun.exe
MD5:    7ac38e256898b95ab4eb6ead32445c39
SHA-1:  cd28430277e32d2bbe9a4a493f1491684a9a3ce5
File Size:      1124669 Bytes
Command Line:   C:\autorun.exe

Load Time DLL:
Module Name     Base Address    Size
C:\WINDOWS\system32\ntdll.dll   0x7C900000      0x000B0000
C:\WINDOWS\system32\kernel32.dll        0x7C800000      0x000F5000
C:\WINDOWS\system32\PSAPI.DLL   0x76BF0000      0x0000B000
C:\WINDOWS\system32\ADVAPI32.dll        0x77DD0000      0x0009B000
C:\WINDOWS\system32\RPCRT4.dll          0x77E70000      0x00092000
C:\WINDOWS\system32\Secur32.dll         0x77FE0000      0x00011000
C:\WINDOWS\system32\USER32.dll          0x7E410000      0x00090000
C:\WINDOWS\system32\GDI32.dll   0x77F10000      0x00047000
C:\WINDOWS\system32\IMM32.DLL   0x76390000      0x0001D000

Run Time DLL:
Module Name     Base Address    Size
C:\WINDOWS\system32\MSCTF.dll   0x74720000      0x0004B000
C:\WINDOWS\system32\msctfime.ime        0x755C0000      0x0002E000
C:\WINDOWS\system32\ole32.dll   0x774E0000      0x0013D000
C:\WINDOWS\system32\version.dll         0x77C00000      0x00008000
C:\WINDOWS\system32\msvcrt.dll          0x77C10000      0x00058000

Registry Entries Created:
Key     Name    Value   Times
HKLM\Software\Microsoft\CTF\SystemShared        CUAS    0       1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM   Ime File
       msctfime.ime    1

Files Created:
C:\WINDOWS\System32\tmp.exe
C:\autorun.exe

Process Accessed:
Process: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
Process: C:\WINDOWS\explorer.exe
Process: C:\WINDOWS\system32\cmd.exe
Process: C:\WINDOWS\system32\ctfmon.exe
Process: C:\WINDOWS\system32\ftvmdmsrv.exe
Process: C:\WINDOWS\system32\lsass.exe
Process: C:\WINDOWS\system32\services.exe
Process: C:\WINDOWS\system32\smss.exe
Process: C:\WINDOWS\system32\spoolsv.exe
Process: C:\WINDOWS\system32\svchost.exe
Process: C:\WINDOWS\system32\winlogon.exe
Process: C:\WINDOWS\system32\wscntfy.exe
Process: C:\WINDOWS\system32\wuauclt.exe
Process: C:\exec\popupKiller.exe
Process: C:\autorun.exe

Extra Info:
-----------
Bin Text reveals the below information:

hxxp://www.Win2Farsi.com
Email:Win2Farsi@yahoo.com
Mohammad Reza Tavakoli-Sh.Salehi
Mob: 09131161242 

MYPENDRIVEDETECT <-- To be noted, this virus spreads with USB Removable Drives.

Creates copies of itself with the file names:
tmp.exe
Shahrokh.exe
autorun.exe
mspaint.exe
cmd.exe
explorer.exe
Service.exe
tc.exe
devenv.exe
iexplore.exe
autorun.inf

Changes folder settings to hide files
Folder
Hidden
SHOWALL
CheckedValue
DefaultValue