W32/Winko.worm is malware that will spread through computer drives using the common autorun.inf method. In addition to this, it will aggressively download and install several malware from various websites.

When the worm is run, it will copy itself in the system32 folder and modify the system registry to ensure that it will survive reboot and that it will be automatically executed every time that windows is started. Then it will drop a dll component in the system32 folder and inject it into various processes.

It will also try to propagate to available drives creating in the root folder an autorun.inf file that will execute the worm automatically, and copy itself there using various filenames, including "auto.exe", "rising.exe" and more.


The dll component of the worm will connect to a specific website controlled by the malware authorto download a file called "update.txt", that contains the list of URLs for additional malware components, that will be downloaded and started in turn. The "update.txt" file is frequently updated by the malware author.

The downloaded malware is, at the moment, mostly composed of password stealing Trojans.

More information can be found at this McAfee page.