W32/Autorun-XO is a worm for the Windows platform.

W32/Autorun-XO includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Autorun-XO copies itself to:

Windows\chrome.exe
System\chrome.exe

and creates the file (System)\autorun.ini.

The file autorun.ini is detected as W32/AutoRun-PU.

The following registry entry is created to run chrome.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
System\chrome.exe

The following registry entry is changed to run chrome.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe chrome.exe

W32/Autorun-XO changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

More information can be found at this Sophos page.