A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Worm:VBS/AutoRun.B is a worm that spreads by copying itself to local hard drives, network drives, and removable drives. It has no other functionality.
The worm contains four files:
The first file is the worm's Visual Basic Script file.
The autorun.inf file causes the __.vbs file to be executed when an infected drive is accessed with a computer that has autorun enabled on the drive in question.
The script copies all four files to the root of local hard drives, network drives, and removable drives not labeled A:\ or B:\. The four files are also copied under %windir%\system32.
The _.reg and _.bat files are detected as Trojan.Win32.Zapchast.ee.
If the script isn't being run from the %windir%\system32 location and therefore hasn't yet been installed, it executes the __.bat file.
The batch file (__.bat) installs the worm by creating the following registry entry to execute itself each time the computer is started:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = userinit.exe,__.bat
The batch file can make the registry changes by adding the contents of __.reg in to the registry. If the __.bat file was executed by the registry entry, it then runs the script file.
The batch file also sets the file attributes for all four files to hidden, system, read-only and archive.
The worm also tries to alter this registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden
This alteration is an attempt to make hidden files invisible in Windows Explorer.