VBS/Autorun.worm.aadd

This page shows details and results of our analysis on the malware VBS/Autorun.worm.aadd

Overview

---------------------------------------------------------------------------------Updated on 24th----------------------------------------------------------------------------------------

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Aliases

  • Microsoft       -    Worm:VBS/Jenxcus.A
  • Symantec     -    VBS.Downloader.Trojan
  • Kaspersky    -    Trojan-Dropper.VBS.Agent.cs
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

VBS/Autorun.worm.aadd  has the ability to infect removable media devices. Infection starts either with manual execution of the infected file or by invoking the corresponding .LNK files that could cause automatic execution of the worm. After infection it may also download other malware or updates to itself directed by the C&C server.

Aliases –

  • Fortinet - VBS/Dinihou.B!worm
  • Ikarus - Worm.Win32.VBS.Dinihou
  • Kaspersky - Worm.VBS.Dinihou.b



Minimum DAT

7112 (2013-06-20)

Updated DAT

7205 (2013-09-21)

Minimum Engine

5400.1158

File Length

varies

Description Added

2013-06-20

Description Modified

2013-10-24

Malware Proliferation

Characteristics

---------------------------------------------------------------------------------Updated on 24th----------------------------------------------------------------------------------------

“VBS/Autorun.worm.aadd” is a worm that spreads via USB drives and mapped drives to the system.

“VBS/Autorun.worm.aadd” creates the link file to execute the dropped payload upon system reboot.

Upon execution the worm connects to the following URL
  • ver[Removed]et
Upon execution the following files have been added to the system.
  • : [RemovableDrive]\help.vbs
  • %Temp%\help.vbs
The following registry keys have been added to the system.
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows Script Host
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows Script Host\Settings
The following registry key values have been added to the system.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help.vbs: ""%Temp%\help.vbs""
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\help.vbs: ""%Temp%\help.vbs""
The above mentioned registry ensures that, the Worm registers run entry with the compromised system and execute itself upon every boot.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Upon execution, this VBScript worm creates a copy of itself in either %TEMP% folder with a random file name as shown below:
  • %Temp%\[FileName].vbs
The worm also copies itself in the startup folder
  • %UserProfile%\Start Menu\Programs\Startup\[Filename].vbs
Also the worm connects to site “man[removed].no-ip.biz” through remote port 846 to download further malicious files.

This VBScript worm spreads via removable storage devices, such as floppy disk drives or a USB flash drives.

It checks the user computer for removable drives. Upon finding the removable drive is the worm copies itself into it. It creates several link (.lnk) files that run the VBScript worm.

The .lnk file is named using the file names already available on the removable drive, and hides the original clean file.

VBS/Autorun.worm.aadd is a worm that spreads through removable drives. It allows backdoor access and control of user computer by a remote attacker.

It creates the following registry key as an infection marker
  • HKEY_LOCAL_MACHINE\software\Filename
The following registry value has been added to the system
  • HKEY_LOCAL_MACHINE \SOFTWARE\FileName\ = "false – Date of Execution"
The following registry entries would enable the worm to execute every time when Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[Filename] = "wscript.exe //B “%Temp%\[filename].vbs""
  • HKEY_CURRENT_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\[FileName] = “wscript.exe //B "%Temp%\[FileName].vbs""
This worm connects a C&C server using a HTTP POST command.  
It sends the following information about user computer to the server:
  • Disk volume serial number
  • Computer name
  • User name
  • Operating system information, Example, the name and version
  • Installed Antivirus software details
Once it receives information about user computer the C&C server replies to the worm with instructions on what to do next. The commands may be any of the following:
  • Run a command in the system
  • Download and run a file, including other malware
  • Update the worm
  • Remove the worm after an update or after other malware is run
It can run the following commands from the attacker:
  • exec - Download and run additional code
  • uns - Uninstall itself
Notes -
  • %UserProfile% - C:\Documents and Settings\[UserName]
  • %Temp% - C:\Documents and Settings\[UserName]\Local Settings\Temp

Symptoms

Presence of above mentioned activities.

Method of Infection

This worm may be spread by its intended method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants