W32/Antinny.Au is a worm that will infect Windows systems.

Upon execution, the worm copies the following files:

  • svchost.exe in the Windows System\Microsoft folder,
  • winsm.exe in the Windows System folder,
  • [RANDOM].exe in the Windows Temp folder.

    It modifies the registry at the following location to load itself during each startup:


    It also disables the System Restore.

    The worm attempts to end the following processes:

  • Windows Task Manager (Japanese version)
  • ProcessWalker
  • Process Explorer
  • It also creates the WindowsSecurityManager service.

    The worm checks the current date periodically. The worm may, perform a denial of service attack against the following Web sites, if the day is Monday and the date is between the 1st and 6th of the month.


    More information can be found at this Proland Software page.