VBS/Autorun.worm.au

This page shows details and results of our analysis on the malware VBS/Autorun.worm.au

Download Current DAT: 6616

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2007-11-29

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

VBS/Autorun.worm.au is an autorun worm written in the Visual Basic Script programming language.

Minimum DAT

5174 (2007-11-29)

Updated DAT

5630 (2009-05-29)

Minimum Engine

5.1.00

File Length

N/A

Description Added

2007-11-29

Description Modified

2008-02-12

Malware Proliferation

Characteristics

When started, the malicious script will first thing proceed in decrypting itself. After this operation has been done, the actual malicious behaviour is started.

The malware will then proceed in copying itself both in the windows and system folder, as '.vbe. On the machine used for the analysis, the malware copied itself as:

c:\windows\'.vbe

c:\windows\system32\'.vbe

After the copying operation has been performed, the malware will set the following registry value to make sure it gets executed when the machine next boots up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer:'.vbe

Next, the malware will proceed in modifying the following registry values in order to bypass firewalls:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

The malware will then try to spawn the copy of itself located in the system folder. However, due to the naming selected for the file, the operation will fail. After this, the malware will proceed in hiding its own files from the system's user, by modifying the following registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

and will create the file '.ini in the system folder.Such file is an autorun file that will force the execution of the script. In addition to this, the malware will copy both the '.ini and '.vbs files in the root of available drives.

Symptoms

wscript process running without having been invoked
presence of files '.vbe and '.ini in the system folder
presence of the file '.vbe in the windows folder
presence of files '.vbs and '.ini in the root of available drives
error messages coming from wscript complaining about the invalid filenames

Method of Infection

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script with the autorun feature on will infect the local machine.

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.