Content

VBS/Autorun.worm.au

Type
Virus
SubType
Worm
Discovery Date
11/29/2007
Length
Minimum DAT
5174 (11/29/2007)
Updated DAT
5630 (05/29/2009)
Minimum Engine
5.1.00
Description Added
11/29/2007
Description Modified
02/12/2008 5:07 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When started, the malicious script will first thing proceed in decrypting itself. After this operation has been done, the actual malicious behaviour is started.

The malware will then proceed in copying itself both in the windows and system folder, as '.vbe. On the machine used for the analysis, the malware copied itself as:

   c:\windows\'.vbe

   c:\windows\system32\'.vbe

After the copying operation has been performed, the malware will set the following registry value to make sure it gets executed when the machine next boots up:

   HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer:'.vbe

Next, the malware will proceed in modifying the following registry values in order to bypass firewalls:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

The malware will then try to spawn the copy of itself located in the system folder. However, due to the naming selected for the file, the operation will fail. After this, the malware will proceed in hiding its own files from the system's user, by modifying the following registry value:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

and will create the file '.ini in the system folder.Such file is an autorun file that will force the execution of the script. In addition to this, the malware will copy both the '.ini and '.vbs files in the root of available drives.

Symptoms

  • wscript process running without having been invoked
  • presence of files '.vbe and '.ini in the system folder
  • presence of the file '.vbe in the windows folder
  • presence of files '.vbs and '.ini in the root of available drives
  • error messages coming from wscript complaining about the invalid filenames

Method of Infection

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script with the autorun feature on will infect the local machine.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

VBS/Autorun.worm.au is an autorun worm written in the Visual Basic Script programming language.

Characteristics

Characteristics -

When started, the malicious script will first thing proceed in decrypting itself. After this operation has been done, the actual malicious behaviour is started.

The malware will then proceed in copying itself both in the windows and system folder, as '.vbe. On the machine used for the analysis, the malware copied itself as:

   c:\windows\'.vbe

   c:\windows\system32\'.vbe

After the copying operation has been performed, the malware will set the following registry value to make sure it gets executed when the machine next boots up:

   HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer:'.vbe

Next, the malware will proceed in modifying the following registry values in order to bypass firewalls:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

The malware will then try to spawn the copy of itself located in the system folder. However, due to the naming selected for the file, the operation will fail. After this, the malware will proceed in hiding its own files from the system's user, by modifying the following registry value:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

and will create the file '.ini in the system folder.Such file is an autorun file that will force the execution of the script. In addition to this, the malware will copy both the '.ini and '.vbs files in the root of available drives.

Symptoms

Symptoms -

  • wscript process running without having been invoked
  • presence of files '.vbe and '.ini in the system folder
  • presence of the file '.vbe in the windows folder
  • presence of files '.vbs and '.ini in the root of available drives
  • error messages coming from wscript complaining about the invalid filenames

Method of Infection

Method of Infection -

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script with the autorun feature on will infect the local machine.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A