VBS/Autorun.worm.k

VBS/Autorun.worm.k

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Worm
  • Protection Added: 2007-07-13

---------Updated on July 8th, 2013-------

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Aliases –

Kaspersky    -    Worm.VBS.Sasan.d
ikarus            -    Virus.VBS.Solow
Microsoft       -    Worm:VBS/Slows.A
Symantec      -    VBS.Solow

...........................................................................................................................................................................................

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Minimum Engine

5400.1158

File Length

varies

Description Added

2007-07-13

Description Modified

2007-07-13

Malware Proliferation

------------------------------------------------------------------------------------Updated on July 8th, 2013------------------------------------------------------------------------

“VBS/Autorun.worm.k” is a worm that spreads via USB drives and mapped drives to the system.

“VBS/Autorun.worm.k” creates the link file to execute the dropped payload upon system reboot.

Upon execution the worm connects to the following URL

  • 41.[Removed].252.39

Upon execution the following files have been added to the system.

  • : [RemovableDrive]\sample.vbs
  • %Temp%\sample.vbs
  • %Temp%\sample.vbs.bin

The following registry keys have been added to the system.

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows Script Host
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows Script Host\Settings

The following registry key values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sample.vbs: ""%Temp%\sample.vbs""
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\sample.vbs: ""%Temp%\sample.vbs""

The above mentioned registry ensures that, the Worm registers run entry with the compromised system and execute itself upon every boot.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------Updated on July 8th, 2013-------

“VBS/Autorun.worm.k” is a worm that spreads by copying itself to Removable drives and root of the connected system drives. The worm also hides the file extension.

The following attributes are set to the copied files

•    Read-only file
•    Hidden file
•    System file
•    File has changed since last backup 

Upon execution it copies itself to the following location:

•    %WINDIR%\.MS32DLL.dll.vbs
•    %WINDIR%\boot.ini
•    %SYSTEMDRIVE%\.MS32DLL.dll.vbs
•    %SYSTEMDRIVE%\autorun.inf
•    : [RemovableDrive]\.MS32DLL.dll.vbs
•    : [RemovableDrive]\autorun.inf

And the worm drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.


[autorun]
shellexecute=wscript.exe .MS32DLL.dll.vbs

The following registry values have been added to the system.

•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS32DLL: "%WINDIR%\.MS32DLL.dll.vbs"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winboot: "wscript.exe /E:vbs %WINDIR%\boot.ini"

The above mentioned registry ensures that the worm registers run entry with the compromised system and execute itself upon every boot.

•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{GUID}: 81 45 E0 01 EE 4E D0 11 BF E9 00 AA 00 5B 43 83 10 00 00 00 00 00 00 00 01 E0 32 F4 01 00 00 00
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Internet Explorer\Toolbar\Explorer\ITBarLayout: [Binary Data]
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "1"
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: "1"

The above registry key value confirms that the worm hide the file extension.

•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows Scripting Host\Settings\Timeout: "0"

The following are the registry files modified to the system:
 
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden: 0x00000000
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden: 0x00000001
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000001
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

The above registry entries ensure that the worm tries to hide itself from the user.

•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun: 0x00000091
•    HKEY_USERS\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun: 0x00000000

The above registry entries ensure that the worm tries to enable the Autoplay on each drive connected to the system.


---------Updated on May 21, 2013-------

Aliases –

  • ESET-NOD32    -     VBS/Agent.NGB
  • Kaspersky         -     Worm.VBS.Agent.bu
  • Microsoft            -     Worm:VBS/Jenxcus.A

Characteristics

VBS/Autorun.worm.k” is a worm that spreads by copying itself to drives connected to the system.

Upon execution the worn connects to the following URL through the remote port: 7777

  • a.serve[Removed]strike.com
  • 133.125. [Removed].37


The following files have been added to the system.

  • %Temp%\Updatea.vbs
  • %Userprofile%\Start Menu\Programs\Startup\Updatea.vbs


Upon execution it copies itself to the following location:

  • : [RemovableDrive]\Updatea.vbs

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updatea.vbs: ""%Temp%\Updatea.vbs ""
  • HKEY_USER\S-1-[Varies]\MaReDHaCkeR: "n"


The above registry entries confirm that the Worm tries to execute itself upon  system boot.

---------Updated on May 15, 2012-------

Aliases -

  • AntiVir - VBS/Autorun.AQ
  • Kaspersky - Worm.VBS.Autorun.gj
  • Microsoft - Worm:VBS/VBSWG.gen
  • NOD32 - VBS/AutoRun.FW


VBS/Autorun.worm.k is a worm that spreads by copying itself to system and removable drives.

Upon execution the worm copies itself to the below mentioned locations.

  • %Windir%\system32\Thumbs.vbs
  • %Windir%\Thumbs.vbs
  • %systemdrive%\Thumbs.vbs

And drop the following file.

  • %systemdrive%\autorun.inf

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [AUTORUN]
  • &Open=wscript.exe Thumbs.vbs
  • shell\open=Open
  • shell\open\Command=wscript.exe Thumbs.vbs
  • shell\Explore=&Explorer
  • shell\Explore\Command=Explorer.exe
  • shell\VBS.ALLYA.B\Command=wscript.exe Thumbs.vbs
  • shell\VBS.ALLYA.B\Default=1

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows Script Host\Settings

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFile:

Trojan disables command run by adding the following values to the registry key.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = 0x00000001

The following registry value ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVCTRL32 = "wscript.exe %Windir%\Thumbs.vbs"

The following registry values have been modified to the system.

  • HKEY_LOCAL_MACHINE\Software\Classes\VBSFile\ = "Data Base File"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Script Extensions\.VBS\ = "Data Base File"

The following registry ensures that, the Trojan hides files and file extensions

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0x00000000

[Note: C:\WINDOWS is %Windir%]

---------Updated on January 12, 2012-------

File Information

  • MD5  -  7458A5CA9E58C08D57D2F0779DCB0E57
  • SHA  - 5309ebbb289dee829b890a9087a84371d347430d

Upon execution, the following registry entries is added to allow the malware to restart upon reboot:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Data: %WinDir%\system32\userinit.exe,%WinDir%\system32\wscript.exe //e:vbscript.encode %RootDir%:\:\%WinDir%\system32\drivers\alice.sys


VBS/Autorun.worm.k will drop the following files:

  • %RootDir%\Alice.alc
  • %RootDir%\Autorun.inf
  • %UserDir%\Templates\winword.vbe
  • %UserDir%\Templates\winword2.vbe
  • %WinDir%\System32\Alice.sys

The autorun.inf file contains the following code:

[autorun]
shellexecute=wscript.exe //e:vbscript.encode alice.alc
shell\open\command=wscript.exe //e:vbscript.encode alice.alc
shell\explore\command=wscript.exe //e:vbscript.encode alice.alc


The malware will attempt inject malicious VB code into existing HTML files. Vbs/autorun.worm.k will also create a new VB files in directories with existing .doc files. The malware will name the newVB file the same as current documents and then hide the original file.

---------Updated on July 01, 2011-------

File Information

  • MD5  -  14BBD7B5B924B598A7655C6211BF19A8
  • SHA  - 27D11C934AD2CD8F673603B4CACEF87AEFF09DA1

Aliases

  • Kaspersky - Worm.VBS.Autorun.gj
  • NOD32 - VBS/AutoRun.FW
  • Symantec - Bloodhound.VBS.4
  • Microsoft - Worm:VBS/VBSWG.gen

When executed it copies itself into the following location:

  • %Windir%\system32\Thumbs.vbs
  • %Windir%\Thumbs.vbs
  • %Systemdrive%\Thumbs.vbs

And drop the following files:

  • %Systemdrive%\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [AUTORUN]
  • &Open=wscript.exe Thumbs.vbs
  • shell\open=Open
  • shell\open\Command=wscript.exe Thumbs.vbs
  • shell\Explore=&Explorer
  • shell\Explore\Command=Explorer.exe
  • shell\VBS.ALLYA.B\Command=wscript.exe Thumbs.vbs
  • shell\VBS.ALLYA.B\Default=1
  • [ABOUT]
  • VBSName=VBS.ALLYA
  • VBSVersion=ENCRYPTED.B-2009
  • VBSAUTHOR=Iwing/Indovirus
  • VBSNOTE=Viva Indovirus - Coba Decoded dan Pelajari ya.. :p
  • '923

The following registry key has been added to the system.

  • HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows Script Host
  • HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows Script Host\Settings

The following registry value has been added.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “AVCTRL32” = "wscript.exe c:\windows\system32\Thumbs.vbs"

The above mentioned registry ensures that the Trojan registers with the compromised system and execute upon every reboot.

  • [HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
    “NoRun” = “0x00000001”

Trojan disables command run by adding the above mentioned values to the registry key.

----------------------------------------------------------------------------

-------- Updated on Jun 21, 2011 ---------

File Information -

  • MD5 - 58B74273D47FD40B38A0433EF22D4D83
  • SHA - 10F50759411F2EE921B321E6122E6BA501217661

Aliases -

  • Avg - VBS/Worm
  • NOD32 - VBS/Butsur.L
  • Symantec - VBS.Runauto
  • Microsoft - Worm:VBS/Autorun.AG

"VBS/Autorun.worm.k" is an VBS autorun worm that spreads through USB drives.

Upon execution the Trojan change Internet Explorer Start Page to point the following URL.

  • www.goo[removed]uk

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [autorun]
  • shellexecute = wscript.exe jxk1o4mpf7l1hqkbgy506l7gkb06yy9d1ita7bn5csat.vbs

The following Values have been modified to the system.

  •  [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Main]
     Start Page = "www.goo[removed]uk"

--------------------------------------

This is an VBS autorun worm that spreads through USB drives.

It spreads itself under the following known filenames:

  • ntidr.vbs
  • Radz_Services.vbs
  • SysRes.vbs

It will change Internet Explorer Start Page to point the following URL:

  • www.radzservices.[removed].com

It will add or modify the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\leakHelpString

It will also create a registry run key to run itself at system startup.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


---------Updated on July 8th, 2013-------

This worm may be spread by its intented method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

---------Updated on May 21, 2013-------

This worm may be spread by its intented method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

---------Updated on May 15, 2012-------

The autorun worm spreads itself through USB drives.

  • Presence of previously mentioned files