W32/AutoRun.Cft is a worm that will infect Windows systems and spreads through removable drive.

The worm will arrive as a dropped file from the network or removable drive.

Upon execution, the worm copies itself as Logonsvc.exe, NetLogonsvc.exe in Windows System folder and Autorun.inf, USBoot.exe in Root of windows installed folder.


The worm modifies registry at the following location to load itself during each startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

It also copies Funny UST Scandal.exe, xmss.exe and autorun.inf in the removable drives, as well as USBoot.exe and Autorun.inf in the removable drives.

Proland Software detects NetLogonsvc.exe as W32/Agent.Bxt.Dropper.Trojan.

More information can be found at this Proland Software page.