Daprosy Worm

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

Although first observed in early May 2009,[1] the worm was first announced to the public as Daprosy trojan[2] worm by Symantec in July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos.[3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.[4][5]

The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.

Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm's improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.

Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malware.

More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.

Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worms of the last decade.


  1. ^ "Please help virus attack Classified.exe".
  2. ^ "Archived copy". Archived from the original on 2011-06-07. Retrieved 2009-10-07.{{cite web}}: CS1 maint: archived copy as title (link)
  3. ^ "Sophos Security Labs: Real-Time Malware Threat Prevention".
  4. ^ "ThreatExpert Report: W32.Daprosy, Worm.Win32.AutoRun.ausp, Mal/Generic-A, Worm.Win32.AutoRun." www.threatexpert.com. Archived from the original on 2011-07-17.
  5. ^ "Archived copy". Archived from the original on 2011-09-01. Retrieved 2009-10-30.{{cite web}}: CS1 maint: archived copy as title (link)