Content

VBS/Autorun.worm

Type
Virus
SubType
VbScript
Discovery Date
02/12/2008
Length
Minimum DAT
N/A ( )
Updated DAT
N/A ( )
Minimum Engine
5.1.00
Description Added
02/12/2008
Description Modified
02/12/2008 6:41 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

Autorun worms written in the Visual Basic Script programming language are usually encrypted in custom ways in order to bypass detection from antivirus scanners. In case of such a protection, the first step for the malware is to decrypt their real body.

As soon as the main code for the script is executed, VBS autorun worms will usually proceed in make sure that the scripts are run everytime that the machine is started. This operation is usually performed by adding specific registry values in defined locations of the victim machine's registry. Such registry locations are usually referred as autorun keys.

When reboot survival has been ensured, VBS autorun worms will start infecting available drive's root folders by creating there an autorun.ini file and copying the malicious script in the same folder. Such autorun file will allow infection of users accessing that drive, provided that such users have autorun enabled. In this way, the malware will be able to propagate across users' machines.

In addition to this, VBS autorun worms may perform other activities. A small subset of these activities includes:

  • lowering security settings for the victim's machine
  • downloading additional malware
  • disabling security software

Symptoms

The following symptoms are typical of VBS autorun worms

  • wscript process running without the user executing it
  • presence of suspicious ini and vbs files in the root of available drives

Additional symptoms may include (but are not limited to):

  • suspicious network activity
  • presence of additional malware on the machine
  • low security settings on the machine

Method of Infection

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script's autorun feature will infect the local machine.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

VBS/Autorun.worm is a generic detection for autorun worms written in the Visual Basic Script programming language.

Characteristics

Characteristics -

Autorun worms written in the Visual Basic Script programming language are usually encrypted in custom ways in order to bypass detection from antivirus scanners. In case of such a protection, the first step for the malware is to decrypt their real body.

As soon as the main code for the script is executed, VBS autorun worms will usually proceed in make sure that the scripts are run everytime that the machine is started. This operation is usually performed by adding specific registry values in defined locations of the victim machine's registry. Such registry locations are usually referred as autorun keys.

When reboot survival has been ensured, VBS autorun worms will start infecting available drive's root folders by creating there an autorun.ini file and copying the malicious script in the same folder. Such autorun file will allow infection of users accessing that drive, provided that such users have autorun enabled. In this way, the malware will be able to propagate across users' machines.

In addition to this, VBS autorun worms may perform other activities. A small subset of these activities includes:

  • lowering security settings for the victim's machine
  • downloading additional malware
  • disabling security software

Symptoms

Symptoms -

The following symptoms are typical of VBS autorun worms

  • wscript process running without the user executing it
  • presence of suspicious ini and vbs files in the root of available drives

Additional symptoms may include (but are not limited to):

  • suspicious network activity
  • presence of additional malware on the machine
  • low security settings on the machine

Method of Infection

Method of Infection -

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script's autorun feature will infect the local machine.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A